Re: procmail / Sendmail - five bugs

From: Rob Jones (robert.e.jonesat_private)
Date: Mon Dec 20 1999 - 19:38:44 PST

Next message: Michael Almond: "SCO OpenServer Security Status"

Previous message: Nicholas Brawn: "Re: Fwd: Norton Email Protection Remote Overflow (Addendum)"
Maybe in reply to: Michal Zalewski: "procmail / Sendmail - five bugs"
Next in thread: Casper Dik: "Re: procmail / Sendmail - five bugs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> a) Sendmail (tested with 8.9.3 and previous) allows you to put mail
>    addressed to eg. '|/bin/sh' (or any file) into mail queue. Fortunately,
>    this queue file should contain also line like 'Croot' to be processed
>    properly, while we have no idea how to put it there. But, anyway,
>    seems to be dangerous - Sendmail should reject such crap immediately:
>
>    /usr/sbin/sendmail -O 'DeliveryMode=d' '""|/bin/sh'
>
>   (without these double-quotes, it _will_ immediately drop your message)

with or without these double-quotes the message is immediately dropped
on redhat linux with the message

[rob@greedo rob]$ /usr/sbin/sendmail -O 'DeliveryMode=d' '""|/bin/sh'
""|/bin/sh... User unknown

[rob@greedo rob]$ /usr/sbin/sendmail -O 'DeliveryMode=d' '|/bin/sh'
|/bin/sh... Cannot mail directly to programs

Same hapens if I am root or try remotely.

Rob

Next message: Michael Almond: "SCO OpenServer Security Status"
Previous message: Nicholas Brawn: "Re: Fwd: Norton Email Protection Remote Overflow (Addendum)"
Maybe in reply to: Michal Zalewski: "procmail / Sendmail - five bugs"
Next in thread: Casper Dik: "Re: procmail / Sendmail - five bugs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:22:16 PDT