Internet Security Industry News
Posfix 1.1.12 remote Denial of Service
August 6, 2003
There is a remotely exploitable denial of service vulnerability in Postfix up to and including 1.1.12. The vulnerability does not affect the most current version, 2.0, due to a major overhaul of the address parsing code. Releases prior to 1.1.9 are not vulnerable by default, but will be exposed if append_dot_mydomain is turned off in the configuration file.
Recent 1.1 releases, having no publicly disclosed security problems, are still commonly used and shipped in several popular Linux distributions, including Red Hat 9 or Debian 3.0 (woody) - those distributions both ship 1.1.11.
The vulnerability lies in the address parser code. By supplying a remote SMTP listener with a malformed envelope address, it is possible to, depending on the method, either:
- Cause the queue manager, nqmgr, to lock up permanently, effectively stopping any queue processing - all mail traffic supressed. Restarting the service has no effect - a specific entry has to be removed from the queue to fix the problem. For that reason, a builtin watchdog that restarts nqmgr after a period of nonresponsive behavior, is not able to cause a recovery from this condition.
The attack can be performed by forcing the service to queue a mail
to an address that would generate a bounce - depending on the
configuration, it can be
- Lock up a single instance of the smtp listener in a unusable state that persists after the client disconnects. By repeating this, it is possible to DoS the service (or entire system, depending on the configuration) in a very effective manner.
This can be achieved by providing any valid "MAIL FROM" in a SMTP conversation, and then supplying a "RCPT TO" similar to "MAIL FROM" in the previous example. If the server is vulnerable, the session should freeze at this point. The latter approach, since it only creates a single stalled process, is a less intrusive method of testing your systems for this issue remotely.
The attack can be detected by looking for "resolve_clnt_query: null recipient" in your maillog. It is then necessary to find the problematic entry in the queue and remove it manually, then restart the service. It should be noted that it is often possible to attack instances that do not have port 25 reachable from the Internet - envelope addresses and certain headers such as Errors-To may very well be preserved when a message is relayed via another system or service.
Source: Security Corp.
Click here to order your Proxy Sentinel™ Internet security server today!
Site optimized by Pagina+™
Powered by Sun Hosting
Search engine keywords by Rank for Sales
Development platform by My Web Services
Internet Security.ca is listed in
Global Business Listing