Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Internet Security Industry News

Posfix 1.1.12 remote Denial of Service

Save your company's valuable data with Proxy Sentinel™ from Internet Security. Click here for all the details.

August 6, 2003

There is a remotely exploitable denial of service vulnerability in Postfix up to and including 1.1.12. The vulnerability does not affect the most current version, 2.0, due to a major overhaul of the address parsing code. Releases prior to 1.1.9 are not vulnerable by default, but will be exposed if append_dot_mydomain is turned off in the configuration file.

Recent 1.1 releases, having no publicly disclosed security problems, are still commonly used and shipped in several popular Linux distributions, including Red Hat 9 or Debian 3.0 (woody) - those distributions both ship 1.1.11.

The vulnerability lies in the address parser code. By supplying a remote SMTP listener with a malformed envelope address, it is possible to, depending on the method, either:

- Cause the queue manager, nqmgr, to lock up permanently, effectively stopping any queue processing - all mail traffic supressed. Restarting the service has no effect - a specific entry has to be removed from the queue to fix the problem. For that reason, a builtin watchdog that restarts nqmgr after a period of nonresponsive behavior, is not able to cause a recovery from this condition.

The attack can be performed by forcing the service to queue a mail to an address that would generate a bounce - depending on the configuration, it can be , or, if user names are being checked, . The "mail from" or "Errors-To" address should be set to "<.!>" or "<.!@local-server-name>". An attempt to parse and rewrite the latter address when preparing a bounce will lock up the service.

...or...

- Lock up a single instance of the smtp listener in a unusable state that persists after the client disconnects. By repeating this, it is possible to DoS the service (or entire system, depending on the configuration) in a very effective manner.

This can be achieved by providing any valid "MAIL FROM" in a SMTP conversation, and then supplying a "RCPT TO" similar to "MAIL FROM" in the previous example. If the server is vulnerable, the session should freeze at this point. The latter approach, since it only creates a single stalled process, is a less intrusive method of testing your systems for this issue remotely.

The attack can be detected by looking for "resolve_clnt_query: null recipient" in your maillog. It is then necessary to find the problematic entry in the queue and remove it manually, then restart the service. It should be noted that it is often possible to attack instances that do not have port 25 reachable from the Internet - envelope addresses and certain headers such as Errors-To may very well be preserved when a message is relayed via another system or service.

Source: Security Corp.


Save Internet Security.ca's URL to the list of your favorite web sites
in your Web browser by clicking here.

Back to the top of the page.         
Click here to order your Proxy Sentinel™ Internet security server today!

Proxy Sentinel™ is the most secure Internet proxy server on the market today. Click here for more information.
Site optimized by Pagina+™
Powered by Sun Hosting
Search engine keywords by Rank for Sales
Development platform by My Web Services
Internet Security.ca is listed in
Global Business Listing

| Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact |
Copyright © Internet Security.ca 2003    Terms of use    Privacy agreement    Legal disclaimer