Return to BSD News archive
Path: sserve!newshost.anu.edu.au!munnari.oz.au!news.Hawaii.Edu!ames!elroy.jpl.nasa.gov!swrinde!cs.utexas.edu!howland.reston.ans.net!spool.mu.edu!carroll1.cc.edu!carroll1.cc.edu!not-for-mail From: sander@carroll1.cc.edu (Scott B. Anderson) Newsgroups: comp.os.386bsd.misc Subject: What about the *BSD sendmails? Date: 18 Nov 1993 18:55:53 -0600 Organization: The Carroll College poorly-installed InterNetNews site Lines: 15 Message-ID: <2ch5ip$d7t@carroll1.cc.edu> NNTP-Posting-Host: carroll1.cc.edu Summary: recently, new sendmail holes were discovered, is the main *BSD user base at risk? Keywords: ARE THEY ALL HACKABLE? If you read the unix security newsgroups or get the cert mailing list (others too I'm sure) you already know about this. If not, read on. Most SunOS (all except for 5.3) sendmails and most plain BSD sendmails have this bug. if you MAIL FROM:|/usr/bin/tail|/bin/sh and then in the DATA give a bugus Return-Receipt-To:|foobar you can get daemon to do whatever you want in the last 10 lines of the message. like cp /bin/sh /tmp/bugshell then suid chmod it. or have it run an xterm for you if you are brave. :) The point is that this is unnaceptable and needs fixing if its broken on the *BSD sendmails. Scott Anderson sander@rush.cc.edu