Hello, I mailed to both CERT and the Sun security email addresses over a month back. Neither replied until I mailed again explicitely asking whether or not they'd even received my mail. Having heard nothing for a month now I've decided to mail here. There is a bug in many versions of sendmail to do with the -d command line option. This allows setting of arbitrary elements of the debug array. I first heard of the bug whilst examining the IDA sendmail source code 2-3 years back. I am astounded that such a bug spotted such a long while ago has not yet made it's way into vendors distributions. To test if your sendmail has it, try using -d with a mumber greater than max signed int, and less than max unsigned int, that preferably is substantially far enough from either to be well outside normal address space ranges when used as an array index. Eg: $ sendmail -d3294967296 If this causes a segmentation fault then you'll likely have a bug in your version of sendmail. The problem is that numbers in this range may skip the range checks and result in accessing negative indexes into the debug array. Hence it is possible to write to locations in memory before the debug array. I've tested this on the standard Solaris 2.3 distribution and have successfully obtained root access using this method. I have also tested on Ultrix 4.2A (apparently has no problem), DEC OSF/1 V1.2 (has a problem), and SunOS4.1 (also has a problem). Note that the above -d argument is by no means a valid check of whether your system is affected, it is just very likely to point out the problem. As I mentioned above, the IDA sendmail has this fixed. Do an archie -s for +IDA and you'll find various IDA distributions around. Alternatively if you have the source for another version of sendmail then check this. For BSD based versions: In trace.c a function tTflag() starts with the lines: tTflag(s) register char *s; { int first, last; register int i; This should be changed to: tTflag(s) register char *s; { unsigned int first, last; register unsigned int i; Many thanks to Francis Dupont who according to the IDA source originally reported the problem. James James Bonfield (jkb@mrc-lmb.cam.ac.uk) Tel: 0223 402499 Fax: 0223 412282 Medical Research Council - Laboratory of Molecular Biology, Hills Road, Cambridge, CB2 2QH, England.