Re: sendmail -d hole

[newsham () wiliki eng hawaii edu (Timothy Newsham)]

> c) Even with b) it is tricky to obtain the correct address as most sendmails
> are normally void of all debugging information.

not really.  I have written up a program that will find the correct addresses
whether or not the binary contained debugging information.  Its a simple
matter of generating a core dump with a pattern in the debug vector and
doing a search through the core image for the patterns you need.  The whole
program fits easily into a small script and could be used quite easily for
breaking into a wide range of systems.

> e) The -d value probably differs for each system type, and probably for each
> system release.

I've only done testing on SunOS 4.1.3.  The operator did a reboot in the
middle of my testing and I noticed that the value changed.  I'm not sure
exactly why that is (same exact binary image was used) my best guess is
that it is related to the shared libraries.  Other systems that
are a bit more static will probably have one magic number that works
on all systems.

> James Bonfield (jkb () mrc-lmb cam ac uk)   Tel: 0223 402499   Fax: 0223 412282
> Medical Research Council - Laboratory of Molecular Biology,
> Hills Road, Cambridge, CB2 2QH, England.