Bugtraq mailing list archives

Re: New Sendmail bug

From: claude () INFOBIOGEN FR (Claude Scarpelli)
Date: Tue, 25 Mar 1997 09:57:47 +0100


In a mail dated Mar 24, bygranz () RS6000 CMP ILSTU EDU (Gonzo Granzeau) wrote:

Jeffrey Moyer once rambled this:

On Sat, 22 Mar 1997 C0WZ1LL4 () NETSPACE ORG wrote:

Hello fellow mongoloids
Try this:
Make hard link of /etc/passwd to /var/tmp/dead.letter
Telnet to port 25, send mail from some bad email address to some
unreacheable hoost.
Watch your message get appended to passwd.
ie:
cowzilla::0:0:c0wz1ll4 0wns u:/:/bin/sh


okay, just want to point out some things about this exploit...
this won't work on big boxes that are partitioned cause you can only do a
hard link on the same file system.  another point is that any box that has
a 'MAILER-DAEMON' defined will get any mail that gets sent there instead of it


Sometimes, sendmail can't send mail to MAILER-DAEMON. In these case,
the message is stored in /var/tmp/dead.letter.

I have seen it appear in the following configuration :

1) sendmail on the best MX host is configured to refuse mail bigger
   than x bytes.

2) sendmail on a lower priority MX host is configured as a null client
   (FEATURE(nullclient)), but without the size limit.

3) a big mail (bigger than x bytes) arrives on the host where sendmail
   is configured as a null client (the low priority MX host).

Here is what happens then:

4) the null client tries to pass the mail to the best MX, which refuse
   it (bigger than x bytes)

5) So the null client tries to bounce back the mail to the
   originator. Since  it is a null client, it sends the mail to the
   best MX host.

6) But the best MX host refuses the mail (bigger than x bytes). So the
   null client tries to send a notification to MAILER-DAEMON. Since it
   is a null client, it sends this mail to the best MX host, which
   refuse it (bigger than x bytes). This a case where sendmail will
   write to /var/tmp/dead.letter.

It may exist other ways for sendmail to write in /var/tmp/dead.letter.


--
------------------------------------------------------------------------------
Claude Scarpelli                        | Defenestrate: to exit a window
INFOBIOGEN::= INFOrmatique appliquée à | onscreen. (Time International
l'étude des BIOmolécules et des GÉNomes | Vol 146, No. 20, Nov 13, 1995)

Current thread:

buffer over in hp-ux 10.20 kernel C0WZ1LL4 () NETSPACE ORG (Mar 21)
- Re: New Sendmail bug Jeffrey Moyer (Mar 24)
  - Re: New Sendmail bug Gonzo Granzeau (Mar 24)
    - Re: New Sendmail bug Claude Scarpelli (Mar 25)
    - Latest IE FIX from MS is a HOAX Aaron Spangler (Mar 25)
    - Re: Latest IE FIX from MS is a HOAX Michael H. Warfield (Mar 25)
    - ANNOUNCE : NTCrack v1.0 Jonathan Wilkins (Mar 27)
    - There are more loopholes in LPD Patrick Powell (Mar 28)
    - symlink bug in tin/rtin NetRunner (Mar 29)
    - Re: symlink bug in tin/rtin Nelson Murilo (Mar 29)
    - ANNOUNCE : NTCrack v2.0 Jonathan Wilkins (Mar 29)
    - more sendmail poop *Hobbit* (Mar 25)
    - Reported Sendmail 8.8.4 Exploit gshapiro () SENDMAIL ORG (Mar 25)
    - minor vulnerability in ELM Dmitry E. Kim (Mar 26)

(Thread continues...)