A number of people have asked for details on how to exploit one aspect of the recently revealed sendmail bug. The short answer is that I do not feel comfortable sending out a cookbook type approach to the net at large. The longer answer is that I don't think that cookbook approaches equal full disclosure. In my previous mail I indicated that newlines in the recipient address could be used to write "extra" lines to the sendmail queue file. This level of detail to me is almost (if not actually) equivalent to full disclosure. The clue is enough to indicate the nature of the attack. Combined with a little investigation into the structure of a sendmail queue file, it is enough information to understand what is taking place (and to construct an exploit script if one is so inclined). I agree that CERT-type messages are woefully inadequate. Saying "sendmail has a hole, patch it" is a far cry from the information necessary to understand what is wrong. Without knowing what is actually going on, one cannot verify that something is fixed -- nor does one learn anything from the experience (and may therefore proceed to write code with the same problem, or fail to recognize a similar exposure in some other area). I would argue that simply providing a exploit script is also a flawed approach. First, the script may not work on all platforms (the attack is slightly different between stock AIX and sendmail 8.6.6 for instance). This might lead one to have a false sense of security. Second, the script may or may not make clear the reason for the exposure. If I don't know why the script works, then I am no better off than before. On the other hand, a discription of the problem educates me to what is going on, gives me what I need to analyze potential fixes, and gives me a reasonable start on developing my own test if I need such a tool. That said, let me expand a bit on my admitedly terse description from yesterday. When a message is queued for delivery by sendmail, a pair of files are written to the spool directory (/var/spool/mqueue on many systems). One of these files (qf<something>) contains information related to the processing of the message (headers, sender, recipient, etc.). Taking versions of sendmail prior to 8.6.10 as an example, one of the pieces of information maintained in this file is the name of the controlling user if mail is being delivered to a script (or file). By feeding sendmail a recipient address that contains newlines, it is possible to add lines to the queue file which specify a controlling user and an executable to run with that users access level. The 8.6.10 patch removes this hole, by stripping newlines from the recipient address before writing the queue file. -- Michael Van Norman mvn@library.ucla.edu Library Information Systems/Development +1.310.206.5579 (voice) University of California, Los Angeles +1.310.206.2880 (facsimile) 11334 University Research Library http://www.library.ucla.edu/~mvn Los Angeles, California 90095-1575