Re: sendmail exploit script - resend
Bonfield James (jkb@mrc-lmb.cam.ac.uk)
Mon, 28 Mar 94 9:08:49 EDT
James Abendchan writes:
>What follows is a sample run exercising the latest sendmail hole and the
>script used to exploit this hole. This is a re-send; I neglected
I had rather have seen this posted on Monday (ie today).
Also, it would have been nice to see in addition (maybe only? - it probably
doesn't matter) the _method_ and analyses rather than just the script. It
takes time (albeit short) to understand a script, but takes no time for a
cracker to run it. This is especially more useful for some of the earlier
rdist style of bugs.
Also it may be nice to have a warning that such a script is about to be posted.
It has however been a reasonable time since the announcement of the bug so
there's no complaints there.
Also, (as many people have pointed out before and since the posting) read
access is normally required to exploit this particular bug. It may perhaps be
possible to core dump sendmail by catching it after it has revoked setuid and
before it has executed your .forward file (for those relevant circumstances).
># this program will be executed when mail is sent to the fake alias.
># since solaris sh and csh and tcsh refuse to run when euid != realuid,
># we instead run the program we compiled above.
Does anyone know quite what the logic behind these shell checks are? They're
just a pain and a stumbling block that are trivial to work around. Is it only
Sun derived things that do this?
James
James Bonfield (jkb@mrc-lmb.cam.ac.uk) Tel: 0223 402499 Fax: 0223 412282
Medical Research Council - Laboratory of Molecular Biology,
Hills Road, Cambridge, CB2 2QH, England.