Bugtraq mailing list archives
Re: New Sendmail bug
From: claude () INFOBIOGEN FR (Claude Scarpelli)
Date: Tue, 25 Mar 1997 09:57:47 +0100
In a mail dated Mar 24, bygranz () RS6000 CMP ILSTU EDU (Gonzo Granzeau) wrote:
Jeffrey Moyer once rambled this:On Sat, 22 Mar 1997 C0WZ1LL4 () NETSPACE ORG wrote:Hello fellow mongoloids Try this: Make hard link of /etc/passwd to /var/tmp/dead.letter Telnet to port 25, send mail from some bad email address to some unreacheable hoost. Watch your message get appended to passwd. ie: cowzilla::0:0:c0wz1ll4 0wns u:/:/bin/shokay, just want to point out some things about this exploit... this won't work on big boxes that are partitioned cause you can only do a hard link on the same file system. another point is that any box that has a 'MAILER-DAEMON' defined will get any mail that gets sent there instead of it
Sometimes, sendmail can't send mail to MAILER-DAEMON. In these case, the message is stored in /var/tmp/dead.letter. I have seen it appear in the following configuration : 1) sendmail on the best MX host is configured to refuse mail bigger than x bytes. 2) sendmail on a lower priority MX host is configured as a null client (FEATURE(nullclient)), but without the size limit. 3) a big mail (bigger than x bytes) arrives on the host where sendmail is configured as a null client (the low priority MX host). Here is what happens then: 4) the null client tries to pass the mail to the best MX, which refuse it (bigger than x bytes) 5) So the null client tries to bounce back the mail to the originator. Since it is a null client, it sends the mail to the best MX host. 6) But the best MX host refuses the mail (bigger than x bytes). So the null client tries to send a notification to MAILER-DAEMON. Since it is a null client, it sends this mail to the best MX host, which refuse it (bigger than x bytes). This a case where sendmail will write to /var/tmp/dead.letter. It may exist other ways for sendmail to write in /var/tmp/dead.letter. -- ------------------------------------------------------------------------------ Claude Scarpelli | Defenestrate: to exit a window INFOBIOGEN::= INFOrmatique appliquée à | onscreen. (Time International l'étude des BIOmolécules et des GÉNomes | Vol 146, No. 20, Nov 13, 1995)
Current thread:
- buffer over in hp-ux 10.20 kernel C0WZ1LL4 () NETSPACE ORG (Mar 21)
- Re: New Sendmail bug Jeffrey Moyer (Mar 24)
- Re: New Sendmail bug Gonzo Granzeau (Mar 24)
- Re: New Sendmail bug Claude Scarpelli (Mar 25)
- Latest IE FIX from MS is a HOAX Aaron Spangler (Mar 25)
- Re: Latest IE FIX from MS is a HOAX Michael H. Warfield (Mar 25)
- ANNOUNCE : NTCrack v1.0 Jonathan Wilkins (Mar 27)
- There are more loopholes in LPD Patrick Powell (Mar 28)
- symlink bug in tin/rtin NetRunner (Mar 29)
- Re: symlink bug in tin/rtin Nelson Murilo (Mar 29)
- ANNOUNCE : NTCrack v2.0 Jonathan Wilkins (Mar 29)
- Re: New Sendmail bug Gonzo Granzeau (Mar 24)
- more sendmail poop *Hobbit* (Mar 25)
- Reported Sendmail 8.8.4 Exploit gshapiro () SENDMAIL ORG (Mar 25)
- minor vulnerability in ELM Dmitry E. Kim (Mar 26)
- Re: New Sendmail bug Jeffrey Moyer (Mar 24)