Re: udp packet storms - ping death

[mcn () c3serve c3 lanl gov (Michael Neuman)]

Perry Metzger says:
> Charles Howes says:
> > > Our copy of ping is installed setuid root; ...
> >
> > So you mean that any student at princeton can panic any Sun there just by
> > typing that command?  Cool...
>
> There are already so many ways to panic suns from userland...

 Here's a complete waste of bandwidth and everyone's time... Name as many
ways to remotely panic a Sun that you know of, Perry, or don't fill the 
ether with this worthless drivel.

ObBug: By default, newaliases creates the aliases database files mode 666. 
This means any user can, by hand, insert the "|uudecode" (or any other alias) 
simply by replacing one of the entries in the database file. Sendmail
(newaliases is just a link to sendmail usually) 8.6.x isn't vulnerable to 
this, but most are. Here's the problem:
(sendmail:newaliases.c -- "@(#)newaliases.c        5.4 (Berkeley) 6/1/90")
        (void) strcpy(dirbuf, aliases);
        (void) strcat(dirbuf, ".dir");
        (void) strcpy(pagbuf, aliases);
        (void) strcat(pagbuf, ".pag");
        f = creat(dirbuf, 0666);
        if (f < 0) {
                perror(dirbuf);
                exit(1);
       }
       (void)close(f);
To test this, remove your aliases.pag and aliases.dir and run
'newaliases'. If the files reappear as 666, your sendmail is vulnerable.
The default Sun 4.1.3_U1 sendmail is vulnerable and at the time I sent it
in, Unicos sendmail was also vulnerable, as well as others, I'm sure.

BTW: I sent this to CERT and CIAC over a year ago, and it doesn't appear
to be fixed yet (at least not by Sun).

-Mike
(no longer an employee of LANL--I speak for myself)
CERT/CIAC: If you want a writeup and exploitation scripts, I can send
them to you again...