Re: Root shell vixie cron exploit

[peter () NETPLEX COM AU (Peter Wemm)]

John Kennedy wrote:
> On Wed, Sep 01, 1999 at 09:08:55PM +0400, Seva Gluschenko wrote:
> > man sendmail:
> > /-C
> > ...skipping...
> >     -Cfile  Use alternate configuration file.  Sendmail refuses to run
> >             as root if an alternate configuration file is specified.
> >
> > and it does, for sure %-).
> >
> > Just tested this on different versions of FreeBSD and had no effects
> > except Mail Delivery message:
> >
> > The following address has permanent fatal errors:
> > -C/tmp/vixie-cf gvs
> >
> > So, sendmail _really_ refuses to accept -C key when run as root
>
>   ???  I haven't looked hard at that exploit, but I know sendmail and that
> is untrue.

Yes, and all the ``fixes'' to the problem that I've seen are going in the
wrong direction IMHO.  FreeBSD simply does not let the user pass *any*
arguments to sendmail.  It calls sendmail with '-t' and the problem is
solved.  Completely.  No need to mess around with bizzare command line
argument filtering or other fragile solutions because the problem is gone
once there are no command line arguments to filter.  We fixed this
particular problem in April 1995 along with tightening up a few other
things.

Cheers,
-Peter

--
Peter Wemm - peter () FreeBSD org; peter () yahoo-inc com; peter () netplex com au