Bugtraq mailing list archives

Re: Sendmail 6.x+ holes?

From: martinh () mailhost emap co uk (martinh () mailhost emap co uk)
Date: Mon, 24 Jun 1996 09:06:44 +0000


On Thu, 20 Jun 1996, Alan Brown wrote:

On Wed, 19 Jun 1996, Robert A. Boyd wrote:

Does anyone know of any recent exploits fro sendmail 6.x and up? I
suspect my machine might be vulnerable and am just curious as to any new
discoveries.


There are various well known exploits right up to 8.7.4? (5)?


I think 8.7.3 was the last vulnerable release (DNS servers could write to
queue files), but 8.7.5 was a fix to a problem with 8.7.4 that messed up
the Elm mail reader I believe.

Since it might be useful here's a short summary of the problems from
sendmail's release notes:

        8.7.3  DNS can write to queue files (fixed in 8.7.4)
        8.7    Syslog entries can be long enough to tickle syslog() bug
        8.7    Possible problem with passing -B parameter to other servers
        8.6.12 Possible denial of service (destroying alias file ) by setting
               resource limits low.
        8.6.12 .forward files can be symlinks. May allow reading of files
        8.6.9  Bogus values in command lines can put trash in headers and
               queue files.
        8.6.9  IDENT information can end up in queue files
        8.6.7  -E option allowed reading any file as root
        8.6.6  root access via -d option. Exploits were on Bugtraq
        8.6.5  Problem with running as owner of :include files, and
               giving away files.
        8.6.4  users .forward files could be owned by anyone
        8.6.4  GID not completely set (given up?) when running programs
        8.6.4  Users with restricted shells could execute stuff via .forward
        8.6.4  Allowed reading of readable files in untraversable dirs
        8.1    Allowed reading of any file on system


No more matches earlier than 8.1, but I think we know that there are
plenty of problems with V6 and V5 sendmail. This list is from searching
for the word security in sendmails RELEASE_NOTES file. Anyone have a
similar list for earlier versions of sendmail?

M.


##################################################################
# Martin Hargreaves (martin () datamodl demon co uk)  Computational #
# Director, Datamodel Ltd                                Chemist #
# Contract Unix system admin/Unix security              Sysadmin #
##################################################################

Current thread:

Sendmail 6.x+ holes? Robert A. Boyd (Jun 19)
- Re: Sendmail 6.x+ holes? Alan Brown (Jun 19)
  - Re: Sendmail 6.x+ holes? Kari E. Hurtta (Jun 20)
    - Re: Sendmail 6.x+ holes? Roland Dobbins (Jun 20)
  - Re: Sendmail 6.x+ holes? martinh () mailhost emap co uk (Jun 24)
    - Re: Sendmail 6.x+ holes? Henry W. Farkas (Jun 24)
- Router programming,source routes and spoofed ICMP attacks. Alan Brown (Jun 19)
  - Re: Router programming,source routes and spoofed ICMP attacks. Brian Mitchell (Jun 20)
    - Re: Router programming,source routes and spoofed ICMP attacks. Alan Brown (Jun 22)
    - Re: Router programming,source routes and spoofed ICMP attacks. Brian Mitchell (Jun 24)
  - Re: Router programming,source routes and spoofed ICMP attacks. Cyrus Durgin (Jun 20)
    - Re: Router programming,source routes and spoofed ICMP attacks. Yiorgos Adamopoulos (Jun 21)
    - Administratrivia Aleph One (Jun 21)
    - Write-only devices (Was read only devices) Paul C Leyland (Jun 21)
    - Re: Write-only devices (Was read only devices) Piete Brooks (Jun 21)

(Thread continues...)