OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 4th quarter (Oct-Dec) 1994: Re: udp packet storms - ping death

Re: udp packet storms - ping death

Michael Neuman (mcnc3serve.c3.lanl.gov)
Wed, 2 Nov 1994 21:34:55 -0700 (MST)

Perry Metzger says:
> Charles Howes says:
> > > Our copy of ping is installed setuid root; ...
> > 
> > So you mean that any student at princeton can panic any Sun there just by
> > typing that command?  Cool...
> 
> There are already so many ways to panic suns from userland...

 Here's a complete waste of bandwidth and everyone's time... Name as many
ways to remotely panic a Sun that you know of, Perry, or don't fill the 
ether with this worthless drivel.

ObBug: By default, newaliases creates the aliases database files mode 666. 
This means any user can, by hand, insert the "|uudecode" (or any other alias) 
simply by replacing one of the entries in the database file. Sendmail
(newaliases is just a link to sendmail usually) 8.6.x isn't vulnerable to 
this, but most are. Here's the problem:
(sendmail:newaliases.c -- "(#)newaliases.c        5.4 (Berkeley) 6/1/90")
	(void) strcpy(dirbuf, aliases);
	(void) strcat(dirbuf, ".dir");
	(void) strcpy(pagbuf, aliases);
	(void) strcat(pagbuf, ".pag");
	f = creat(dirbuf, 0666);
	if (f < 0) {
		perror(dirbuf);
		exit(1);
       }
       (void)close(f);
To test this, remove your aliases.pag and aliases.dir and run
'newaliases'. If the files reappear as 666, your sendmail is vulnerable.
The default Sun 4.1.3_U1 sendmail is vulnerable and at the time I sent it
in, Unicos sendmail was also vulnerable, as well as others, I'm sure.

BTW: I sent this to CERT and CIAC over a year ago, and it doesn't appear
to be fixed yet (at least not by Sun).

-Mike
(no longer an employee of LANL--I speak for myself)
CERT/CIAC: If you want a writeup and exploitation scripts, I can send
them to you again...