Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1995_1

Bugtraq archives for 1st quarter (Jan-Mar) 1995: Re: new sendmail bug?

Re: new sendmail bug?

Michael Van Norman (mvnLibrary.UCLA.EDU)
Thu, 23 Feb 1995 05:31:10 -0800 (PST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: der Mouse: "Sendmail 8.6.10: what's different?"
Previous message: Dave Goldberg: "Re: lsof on Solaris 2.4 (was snooper watchers )"
In reply to: James W. Abendschan: "new sendmail bug?"
Next in thread: Quentin Fennessy: "Re: new sendmail bug?"

> I just read the new CERT advisory on the sendmail bug.. anybody have any 
> details?

No details, but I have confirmed part of it on one of my AIX boxes.

> I gathered it had something to do with imbedding newlines in
> either the info it reads from identd and/or imbedding newlines
> when giving it command line options.. but it's hard to say.

The method I exploited was that of using newlines in the command
options.  By imbedding newlines in the recipient address, it is
possible to write extra lines to sendmail's queue file.  Carefully
chosen additions will let you run an arbitrary program as an arbitrary
user (except maybe root -- I cracked bin).

-- 
Michael Van Norman
mvnlibrary.ucla.edu                  Library Information Systems/Development
+1.310.206.5579 (voice)                 University of California, Los Angeles
+1.310.206.2880 (facsimile)                 11334 University Research Library
http://www.library.ucla.edu/~mvn          Los Angeles, California  90095-1575

Next message: der Mouse: "Sendmail 8.6.10: what's different?"
Previous message: Dave Goldberg: "Re: lsof on Solaris 2.4 (was snooper watchers )"
In reply to: James W. Abendschan: "new sendmail bug?"
Next in thread: Quentin Fennessy: "Re: new sendmail bug?"