CVE-1999-0250

• BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack
• URL:http://marc.info/?l=bugtraq&m=87602558319024&w=2
• MISC:http://cr.yp.to/qmail/venema.html
• MISC:http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html
• XF:qmail-leng

 Frech> XF:qmail-rcpt
 Christey> DUPE CVE-1999-0418 and CVE-1999-0144?
 Christey> Dan Bernstein, author of Qmail, says that this is not a
   vulnerability in qmail because Unix has built-in resource
   limits that can restrict the size of a qmail process; other
   limits can be specified by the administrator.  See
   http://cr.yp.to/qmail/venema.html
   
   Significant discussion of this issue took place on the qmail
   list.  The fundamental question appears to be whether 
   application software should set its own limits, or rely
   on limits set by the parent operating system (in this case,
   UNIX).  Also, some people said that the only problem was that
   the suggested configuration was not well documented, but this
   was refuted by others.
   
   See the following threads at
   http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html
   "Denial of service (qmail-smtpd)"
   "qmail-dos-2.c, another denial of service"
   "[PATCH] denial of service"
   "just another qmail denial-of-service"
   "the UNIX way"
   "Time for a reality check"
   
   Also see Bugtraq threads on a different vulnerability that
   is related to this topic:
   BUGTRAQ:19990903 Web servers / possible DOS Attack / mime header flooding
   http://archives.neohapsis.com/archives/bugtraq/1998_3/0742.html
 Baker> This appears to be the same vulnerability listed in CAN 1999-0144.  In reading
   through both bugtraq postings, the one that is referenced by 0144 is
   based on a shell code exploit to cause memory exhaustion. The bugtraq
   posting referenced by this entry refers explicitly to the prior
   posting for 0144, and states that the same effect could be
   accomplished by a perl exploit, which was then attached.
 Baker> http://www.securityfocus.com/archive/1/6969    CVE-1999-0144
   http://www.securityfocus.com/archive/1/6970    CVE-1999-0250
   
   Both references should be added to CVE-1999-0144, and CVE-1999-0250
   should likely be rejected.
 CHANGE> [Baker changed vote from REVIEWING to REJECT]
 Christey> XF:qmail-leng no longer exists; check with Andre to see if they
   regarded it as a duplicate as well.
   
   qmail-dos-1.c, as published by Wietse Venema (CVE-1999-0250)
   in "BUGTRAQ:19970612 Denial of service (qmail-smtpd)", does not
   use any RCPT commands.  Instead, it sends long strings
   of "X" characters.  A followup by "super@UFO.ORG" includes
   an exploit that claims to do the same thing; however, that
   exploit does not send long strings of X characters - it sends
   a large number of RCPT commands.  It appears that super@ufo.org
   followed up to the wrong message.
   
   qmail-dos-2.c, as published by Wietse Venema (CVE-1999-0144)
   in "BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack"
   sends a large number of RCPT commands.
   
   ADDREF BUGTRAQ:19970612 Denial of service (qmail-smtpd)
   ADDREF BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack
   
   Also see a related thread:
   BUGTRAQ:19990308 SMTP server account probing
   http://marc.theaimsgroup.com/?l=bugtraq&m=92100018214316&w=2
   
   This also describes a problem with mail servers not being able
   to handle too many "RCPT TO" requests.  A followup message
   notes that application-level protection is used in Sendmail
   to prevent this:
   BUGTRAQ:19990309 Re: SMTP server account probing
   http://marc.theaimsgroup.com/?l=bugtraq&m=92101584629263&w=2
   The person further says, "This attack can easily be
   prevented with configuration methods."