Bugtraq mailing list archives
Re: udp packet storms - ping death
From: mcn () c3serve c3 lanl gov (Michael Neuman)
Date: Wed, 2 Nov 1994 21:34:55 -0700 (MST)
Perry Metzger says:
Charles Howes says:Our copy of ping is installed setuid root; ...So you mean that any student at princeton can panic any Sun there just by typing that command? Cool...There are already so many ways to panic suns from userland...
Here's a complete waste of bandwidth and everyone's time... Name as many ways to remotely panic a Sun that you know of, Perry, or don't fill the ether with this worthless drivel. ObBug: By default, newaliases creates the aliases database files mode 666. This means any user can, by hand, insert the "|uudecode" (or any other alias) simply by replacing one of the entries in the database file. Sendmail (newaliases is just a link to sendmail usually) 8.6.x isn't vulnerable to this, but most are. Here's the problem: (sendmail:newaliases.c -- "@(#)newaliases.c 5.4 (Berkeley) 6/1/90") (void) strcpy(dirbuf, aliases); (void) strcat(dirbuf, ".dir"); (void) strcpy(pagbuf, aliases); (void) strcat(pagbuf, ".pag"); f = creat(dirbuf, 0666); if (f < 0) { perror(dirbuf); exit(1); } (void)close(f); To test this, remove your aliases.pag and aliases.dir and run 'newaliases'. If the files reappear as 666, your sendmail is vulnerable. The default Sun 4.1.3_U1 sendmail is vulnerable and at the time I sent it in, Unicos sendmail was also vulnerable, as well as others, I'm sure. BTW: I sent this to CERT and CIAC over a year ago, and it doesn't appear to be fixed yet (at least not by Sun). -Mike (no longer an employee of LANL--I speak for myself) CERT/CIAC: If you want a writeup and exploitation scripts, I can send them to you again...
Current thread:
- Re: udp packet storms, (continued)
- Re: udp packet storms Pete Shipley (Nov 03)
- bizzare ftp stuff... Tim Scanlon (Nov 03)
- Re: udp packet storms Perry E. Metzger (Oct 31)
- Re: udp packet storms Charles Howes (Oct 31)
- Re: udp packet storms Mike Raffety (Nov 01)
- Re: udp packet storms David A. Wagner (Nov 01)
- Re: udp packet storms - ping death Charles Howes (Nov 02)
- Re: udp packet storms - ping death David A. Wagner (Nov 02)
- Re: udp packet storms - ping death Karl Strickland (Nov 03)
- Re: udp packet storms - ping death Perry E. Metzger (Nov 02)
- Re: udp packet storms - ping death Michael Neuman (Nov 02)
- Re: udp packet storms - ping death Perry E. Metzger (Nov 03)
- Re: udp packet storms - ping death Dave Horsfall (Nov 03)
- Re: udp packet storms David A. Wagner (Nov 01)
- Re: udp packet storms - ping death Karl Strickland (Nov 03)
- tcpd on ultrix 4.3a Douglas Ray (Nov 02)
- Re: udp packet storms - ping death Joseph McDonald (Nov 02)
- Re: SunOS fatal bugs (was Re: udp packet storms - ping death) Darren Reed (Nov 03)
- Re: udp packet storms - ping death Charles Howes (Nov 03)
- Re: udp packet storms - ping death Paul O'Donnell (Nov 04)
- Re: udp packet storms - ping death Charles Howes (Nov 04)
- Re: udp packet storms - ping death Charles Howes (Nov 04)