Re: procmail again

[Valdis.Kletnieks () vt edu]

On Sat, 18 Oct 2003 22:34:14 PDT, ned said:
> libd.so.1 is the sharefuzz getenv() hooker which just returns big buffers.
> i no longer have a redhat 7.1 machine and that information is little over 
> 12 months old therefore someone with a rh 7.1 system please send in your 

Oh.. getenv hooker. Hmm.. Might be fixed by:

2001/06/28: v3.20
            Changes to procmail:
(....)
               - Drop duplicate and malformed environment entries

but trying to develop anything out of it will be quite the challenge - you'll need
to find a procmail 3.14 running on a box that doesn't leak like swiss cheese through
other holes - I'd not trust *anything* on an unpatched RH7.1 that's on a public net.

I mean, how do you know some hacker hasn't nailed libc.so with some code that
does:
        if (!geteuid() && !strcmp(argv[0],"procmail")) {.....
to re-insert a backdoor into the system?

If your research box is very old and/or unpatched, and isn't in a strictly
controlled lab environment, trying to research can be interesting because you
can't be sure you aren't tripping over somebody else's rootkit.. ;)

(What? You wanted more profound insight at 2:45AM? ;)

Attachment: _bin
Description: