Perry Metzger says: > Charles Howes says: > > > Our copy of ping is installed setuid root; ... > > > > So you mean that any student at princeton can panic any Sun there just by > > typing that command? Cool... > > There are already so many ways to panic suns from userland... Here's a complete waste of bandwidth and everyone's time... Name as many ways to remotely panic a Sun that you know of, Perry, or don't fill the ether with this worthless drivel. ObBug: By default, newaliases creates the aliases database files mode 666. This means any user can, by hand, insert the "|uudecode" (or any other alias) simply by replacing one of the entries in the database file. Sendmail (newaliases is just a link to sendmail usually) 8.6.x isn't vulnerable to this, but most are. Here's the problem: (sendmail:newaliases.c -- "@(#)newaliases.c 5.4 (Berkeley) 6/1/90") (void) strcpy(dirbuf, aliases); (void) strcat(dirbuf, ".dir"); (void) strcpy(pagbuf, aliases); (void) strcat(pagbuf, ".pag"); f = creat(dirbuf, 0666); if (f < 0) { perror(dirbuf); exit(1); } (void)close(f); To test this, remove your aliases.pag and aliases.dir and run 'newaliases'. If the files reappear as 666, your sendmail is vulnerable. The default Sun 4.1.3_U1 sendmail is vulnerable and at the time I sent it in, Unicos sendmail was also vulnerable, as well as others, I'm sure. BTW: I sent this to CERT and CIAC over a year ago, and it doesn't appear to be fixed yet (at least not by Sun). -Mike (no longer an employee of LANL--I speak for myself) CERT/CIAC: If you want a writeup and exploitation scripts, I can send them to you again...