James Abendchan writes: >What follows is a sample run exercising the latest sendmail hole and the >script used to exploit this hole. This is a re-send; I neglected I had rather have seen this posted on Monday (ie today). Also, it would have been nice to see in addition (maybe only? - it probably doesn't matter) the _method_ and analyses rather than just the script. It takes time (albeit short) to understand a script, but takes no time for a cracker to run it. This is especially more useful for some of the earlier rdist style of bugs. Also it may be nice to have a warning that such a script is about to be posted. It has however been a reasonable time since the announcement of the bug so there's no complaints there. Also, (as many people have pointed out before and since the posting) read access is normally required to exploit this particular bug. It may perhaps be possible to core dump sendmail by catching it after it has revoked setuid and before it has executed your .forward file (for those relevant circumstances). ># this program will be executed when mail is sent to the fake alias. ># since solaris sh and csh and tcsh refuse to run when euid != realuid, ># we instead run the program we compiled above. Does anyone know quite what the logic behind these shell checks are? They're just a pain and a stumbling block that are trivial to work around. Is it only Sun derived things that do this? James James Bonfield (jkb@mrc-lmb.cam.ac.uk) Tel: 0223 402499 Fax: 0223 412282 Medical Research Council - Laboratory of Molecular Biology, Hills Road, Cambridge, CB2 2QH, England.