enZo Notice
Date: 21/09/02
Product: Sendmail
Mentioned By: netmask
Versions: 8.12.6 and below to 8.12.0. No other versions checked.
Problem: String precision when logging too short.
ZZZZZZZZZZZZZZZZZZZ
Z:::::::::::::::::Z
nnnn nnnnnnnn Z:::::::::::::::::Z ooooooooooo
n:::nn::::::::nn Z:::ZZZZZZZ::::::Z oo:::::::::::oo
eeeeeeeeeee n::::::::::::::nn ZZZZZ * Z::::::Z o:::::::::::::::o
ee:::::::::::eenn:::::::::::::::n 2 Z:::::Z o:::::oooo::::::o
e:::::::::::::::een:::::nnnn:::::n 0 Z:::::Z o::::o o::o::::o
e::::::eeeee::::::en::::n n::::n 0 Z:::::Z o::::o o::oo::::o
e:::::e e:::::en::::n n::::n 2 Z:::::Z o::::oo::o o::::o
e::::::eeeee::::::en::::n n::::n * Z:::::Z o::::o::o o::::o
e::::::::::::::::e n::::n n::::n Z:::::Z o::::::oooo:::::o
e:::::eeeeeeeeeee n::::n n::::nZZZ:::::Z ZZZZZo:::::::::::::::o
e::::::e n::::n n::::nZ::::::ZZZZZZZZ:::Z oo:::::::::::oo
e:::::::e nnnnnn nnnnnnZ:::::::::::::::::Z ooooooooooo
e:::::::eeeeeeeeee Z:::::::::::::::::Z
ee::::::::::::::e ZZZZZZZZZZZZZZZZZZZ
ee:::::::::::::e \... www.enz-o.org .../
eeeeeeeeeeeeee
The above radical ascii art.. the below is
lame discovery.
When connecting to Sendmail with an ident 95 characters or longer, Sendmail
will not log attempts to VRFY, EXPN, no queue attempts, possible SMTP attacks,
ETRN, etc.. And it will allow people to hide their address in the maillog when
sending E-mail.
It will include the full ident reply, hostname and IP address in the headers
of a delivered E-mail, however it will not be included in the maillog. This
functionality is identical regardless of the LogLevel defined in sendmail.cf.
It was tested on Sendmail 8.12.5, however should work without issue on all
8.12.X releases, and possibly others.
example logs:
Sep 20 21:29:40 enZo sendmail[25867]: g8L4Tcjd025867: IDENT:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Sep 20 21:24:52 enZo sendmail[25831]: g8L4Oajd025831: from=<spam@fluffybunny.com>, size=5, class=0, nrcpts=1, msgid=<200209210424.g8L4Oajd025831@enzo.peteisinthepool.com>, proto=SMTP, daemon=MTA, relay=IDENT:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
There is no way to execute code, because this is a trivial issue.. When
printing to the logs Sendmail is specifically limiting the logs to 100
characters (IDENT + 95 characters).
Anywhere in the code you see the string precision declaration
of %.100s with CurSmtpClient is affected.
An example of the code in question is:
/* different message for MSA ? */
message("502 5.7.0 Sorry, we do not allow this operation");
if (LogLevel > 5)
sm_syslog(LOG_INFO, e->e_id,
"%.100s: %s [rejected]",
CurSmtpClient,
shortenstring(inp, MAXSHORTSTR));
It seems that the precision should be the same length of MAXNAME, due to ibuf
being defined as MAXNAME + 1, when reading the ident information. However, I'm
sure Sendmail has their reasons for this usage. If nothing else, the ident
should be truncated to 100 - 15 (15 for IP storage), and then the IP/Hostname
information concatenated onto the end of it. Hostname may also be truncated in
the event someone is using an extremely long hostname.. Truncated ident, ip
address, fill the rest of the space with the hostname.
Vendor was notified Friday, September 20th in the afternoon. Due to this being
a trivial bug, I don't really mind releasing it now. Especially because if it
bugs someone really bad, the code modifications are easy.
