Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Reported Sendmail 8.8.4 Exploit

From: gshapiro () SENDMAIL ORG (gshapiro () SENDMAIL ORG)
Date: Tue, 25 Mar 1997 18:04:20 -0500

After many hours looking at the code and trying to reproduce the reported
exploit in 8.8.4, I still don't see it as possible.  It was possible in 8.8.3,
but 8.8.4 fixed this.

If anyone is able to reproduce this problem with 8.8.4, please send me the
output of doing the exploit as follows:

/usr/lib/sendmail -d44.5 -bs

This will emulate the SMTP conversation so you can use the posted exploit.
You can also try:

/usr/lib/sendmail -d44.5 -f nonexistentuser nonexistentuser < /dev/null

which will avoid the need to go through the SMTP conversation.

People using 8.8.5 can also try to reproduce it since there weren't any
changes from 8.8.4 to 8.8.5 which would have fixed this problem except 8.8.5
doesn't save to dead.letter the way the exploit shows.  You can still get a
save to dead-letter in 8.8.5 by removing the postmaster alias and rebuilding
your alias database before trying the commands above.

I would really like to hear from someone who can do this so I can be sure a
fix gets into 8.8.6.
Previous By Date Next
Previous By Thread Next

Current thread: