Re: sendmail -d hole

[jkb () mrc-lmb cam ac uk (Bonfield James)]

Andrew Beckett writes:
> James Bonfield writes:
> |> produce a relative pathname. Once you've got your own sendmail config I'm
> |> sure you all realise how easy obtaining root access is. There are
> |> presumably many other memory locations that can also be overwritten to
> |> have a similar effect.
>
> Isn't easier to get your own config by using the -C command line arg of
> sendmail?

The -C flag resets the userid back to you. Ie it revokes root privilages.

> Or am I missing something? Mind you, I can't see straight away how you would
> get root access from the config file (Not that I really need to know
> this, just that it is really can be done). 

Redefine the local mail program to (say) /tmp/gotcha; remove any 'secure'
flags to prevent it not running under root; change the default uid and
gid; and then mail yourself. This worked for me.

The problem is, how do we get the vendors to fix this bug? I've mailed Sun. I
will mail DEC too. People should mail other vendors they know have the bug.
However if Sun are anything to go by, then informing the vendors probably
won't make much difference!

        James