Bugtraq mailing list archives

Re: new sendmail bug?

From: mvn () Library UCLA EDU (Michael Van Norman)
Date: Thu, 23 Feb 1995 05:31:10 -0800 (PST)

I just read the new CERT advisory on the sendmail bug.. anybody have any 
details?


No details, but I have confirmed part of it on one of my AIX boxes.

I gathered it had something to do with imbedding newlines in
either the info it reads from identd and/or imbedding newlines
when giving it command line options.. but it's hard to say.


The method I exploited was that of using newlines in the command
options.  By imbedding newlines in the recipient address, it is
possible to write extra lines to sendmail's queue file.  Carefully
chosen additions will let you run an arbitrary program as an arbitrary
user (except maybe root -- I cracked bin).

-- 
Michael Van Norman
mvn () library ucla edu                  Library Information Systems/Development
+1.310.206.5579 (voice)                 University of California, Los Angeles
+1.310.206.2880 (facsimile)                 11334 University Research Library
http://www.library.ucla.edu/~mvn          Los Angeles, California  90095-1575

Current thread:

Sun Security Bulletin #129 (sendmail), (continued)
- - - Sun Security Bulletin #129 (sendmail) Mark Graff (Feb 22)
    - new sendmail bug? James W. Abendschan (Feb 22)
    - Re: new sendmail bug? joel (Feb 22)
    - Re: new sendmail bug? Dave Horsfall (Feb 22)
    - Sendmail 8.6.10: what's different? der Mouse (Feb 23)
    - X keyboard sniffing Paul Howell (Feb 23)
    - Re: Sendmail 8.6.10: what's different? Igor V. Semenyuk (Feb 23)
    - Re: Sendmail 8.6.10: what's different? Peter Wemm (Feb 24)
    - Re: Sendmail 8.6.10: what's different? Peter Wemm (Feb 23)
    - Re: Sendmail 8.6.10: what's different? Christian Wettergren (Feb 24)
    - Re: new sendmail bug? Michael Van Norman (Feb 23)
    - Re: snooper watchers Aleph One (Feb 22)
    - Re: HP-UX Problem... Pete Shipley (Feb 21)