Re: sendmail exploit script

[WIDNERM () hsdwl utc com (MICHAEL R. WIDNER)]

From:   UTRCGW::IN%"widnerm () hsdwl utc com"
To:     IN%"bugtraq () crimelab COM"
CC:     
Subj:   RE: sendmail exploit script - resend

> I've spent some tine on my solaris 2.3 workstation trying this script.
> It seems to me that you could change the default config file
> using the output of calc BUT that the solaris sendmail will execute
> the alias.sh script as users nobody in all the case.
> Could someone confirm that?

The bug is slightly more difficult to abuse under solaris 2.x, but
it is not impossible.  The easy thing to do is change Mlocal to
some arbitrary program that you want to run as root.  The following
example works just find.

main()
{ suid(0); chown("/tmp/newsh",0,0); chmod("/tmp/newsh",04755)}

Of course you have to copy some arbitrary program to /tmp/newsh before
running this.

> Ps: Of course it does not mean that the solaris version is safe!

I know of no sun4 version of sendmail that is safe from this bug.
I have tested 8 versions of sun sendmail, including all the latest
patches for both 4.1.3 and 2.3, and all are vulnerable.

Sun said that they expect to have a patch within a few weeks.

-Mike Widner
<widnerm () hsdwl utc com>