Re: sendmail vunerability ?

[secure () SECUREAUSTIN COM (H D Moore)]

Hi,

Was LPD running on your system?  Does anyone else have shell access to
the machine?  It looks like sendmail was used to facilitate a compromise
that is based off a vulnerability in LPD.  They may have used LPD to
create create that .forward file (containing a pipe/etc) and then used
sendmail to trigger the command.  There were a could LPD
vulnerabilitesposted to bugtraq over the last 6 months or so, take a
look.

-HD

E Kelly Bond wrote:
> I am running Redhat 6.1 with kern 2.2.12-20, and sendmail 8.9.3-15.
>
> I noticed the following in my syslog from last night:
>
> Jan 30 05:15:33 rudolph sendmail[27418]: FAA27418: from=<>,
> size=2938,class=0, pri=242938, nrcpts=8, msgid=<ZOKXFgOYpTbyc.UhyP
> xLP2r () mail localhost com>, proto=SMTP,
> relay=14-100.015.popsite.net[216.126.184.100]
> Jan 30 05:15:33 rudolph sendmail[27464]: FAA27418:
> forward/var/spool/mail/.forward.rudolph: Group writable directory
> Jan 30 05:15:33 rudolph sendmail[27464]: FAA27418:
> forward/var/spool/mail/.forward: Group writable directory
>
> Jan 30 05:15:36 rudolph sendmail[27452]: FAA27452: from=<>,
> size=2938,class=0, pri=242938, nrcpts=8, msgid=<my65UVbQoJG3c.sZYA
> FrpF1 () mail localhost com>, proto=SMTP,
> relay=14-100.015.popsite.net[216.126.184.100]
> Jan 30 05:15:36 rudolph sendmail[27490]: FAA27452:
> forward/var/spool/lpd/.forward.rudolph writable directory
> Jan 30 05:15:36 rudolphil[27490]: FAA27452: forward
> /var/spool/lpd/.forward:Group writable directory
>
> The ".forward" files were not there at 8 am when i checked the logs and saw
> the activity.
>
> Can sendmail be used to create arbitrary directories?
>
> K