Bugtraq mailing list archives
Re: New Sendmail bug
From: bygranz () RS6000 CMP ILSTU EDU (Gonzo Granzeau)
Date: Mon, 24 Mar 1997 10:17:05 -0600
Jeffrey Moyer once rambled this:
On Sat, 22 Mar 1997 C0WZ1LL4 () NETSPACE ORG wrote:Hello fellow mongoloids Try this: Make hard link of /etc/passwd to /var/tmp/dead.letter Telnet to port 25, send mail from some bad email address to some unreacheable hoost. Watch your message get appended to passwd. ie: cowzilla::0:0:c0wz1ll4 0wns u:/:/bin/sh
okay, just want to point out some things about this exploit... this won't work on big boxes that are partitioned cause you can only do a hard link on the same file system. another point is that any box that has a 'MAILER-DAEMON' defined will get any mail that gets sent there instead of it saving it to /var/tmp/dead.letter, ie, make an /etc/aliases file that defines a MAILER-DAEMON. for instance, i add these two to my /etc/aliases: MAILER-DAEMON:gonzo postmaster:gonzo then you just type 'newaliases' and you're good to go. (postmaster is a general good idea) course then you have to deal with ppl's messed up mail...
Okay, here is a very very simple kluge to temporarily fix it. Create a file /var/tmp/dead.letter with chmod 0644 perms. That way no one can make the hard link to /etc/passwd, b/c the file /var/tmp/dead.letter already exists.
that would help out cause you could see who was trying to break into your system, but that is not an agreeable solution. gonzo -- +----R-----------------T---------------------F------------------M---+ | Gonzo Granzeau http://www.ilstu.edu/~bygranz Unix Support `8r) | | "Let's go get tatoos!!" "uh... okay." | | Nothing I (/usr/dict/words) has to do with Unix Support |
Current thread:
- buffer over in hp-ux 10.20 kernel C0WZ1LL4 () NETSPACE ORG (Mar 21)
- Re: New Sendmail bug Jeffrey Moyer (Mar 24)
- Re: New Sendmail bug Gonzo Granzeau (Mar 24)
- Re: New Sendmail bug Claude Scarpelli (Mar 25)
- Latest IE FIX from MS is a HOAX Aaron Spangler (Mar 25)
- Re: Latest IE FIX from MS is a HOAX Michael H. Warfield (Mar 25)
- ANNOUNCE : NTCrack v1.0 Jonathan Wilkins (Mar 27)
- There are more loopholes in LPD Patrick Powell (Mar 28)
- symlink bug in tin/rtin NetRunner (Mar 29)
- Re: symlink bug in tin/rtin Nelson Murilo (Mar 29)
- ANNOUNCE : NTCrack v2.0 Jonathan Wilkins (Mar 29)
- Re: New Sendmail bug Gonzo Granzeau (Mar 24)
- more sendmail poop *Hobbit* (Mar 25)
- Reported Sendmail 8.8.4 Exploit gshapiro () SENDMAIL ORG (Mar 25)
- Re: New Sendmail bug Jeffrey Moyer (Mar 24)