Bugtraq mailing list archives
Re: sendmail exploit script
From: WIDNERM () hsdwl utc com (MICHAEL R. WIDNER)
Date: 28 Mar 1994 10:55:49 -0400 (EDT)
From: UTRCGW::IN%"widnerm () hsdwl utc com" To: IN%"bugtraq () crimelab COM" CC: Subj: RE: sendmail exploit script - resend
I've spent some tine on my solaris 2.3 workstation trying this script. It seems to me that you could change the default config file using the output of calc BUT that the solaris sendmail will execute the alias.sh script as users nobody in all the case. Could someone confirm that?
The bug is slightly more difficult to abuse under solaris 2.x, but it is not impossible. The easy thing to do is change Mlocal to some arbitrary program that you want to run as root. The following example works just find. main() { suid(0); chown("/tmp/newsh",0,0); chmod("/tmp/newsh",04755)} Of course you have to copy some arbitrary program to /tmp/newsh before running this.
Ps: Of course it does not mean that the solaris version is safe!
I know of no sun4 version of sendmail that is safe from this bug. I have tested 8 versions of sun sendmail, including all the latest patches for both 4.1.3 and 2.3, and all are vulnerable. Sun said that they expect to have a patch within a few weeks. -Mike Widner <widnerm () hsdwl utc com>
Current thread:
- Re: sendmail exploit script - resend Jean Chouanard (Mar 28)
- Re: sendmail exploit script MICHAEL R. WIDNER (Mar 28)