*BSD News Article 24186


Return to BSD News archive

Path: sserve!newshost.anu.edu.au!munnari.oz.au!news.Hawaii.Edu!ames!elroy.jpl.nasa.gov!swrinde!cs.utexas.edu!howland.reston.ans.net!spool.mu.edu!carroll1.cc.edu!carroll1.cc.edu!not-for-mail
From: sander@carroll1.cc.edu (Scott B. Anderson)
Newsgroups: comp.os.386bsd.misc
Subject: What about the *BSD sendmails?
Date: 18 Nov 1993 18:55:53 -0600
Organization: The Carroll College poorly-installed InterNetNews site
Lines: 15
Message-ID: <2ch5ip$d7t@carroll1.cc.edu>
NNTP-Posting-Host: carroll1.cc.edu
Summary: recently, new sendmail holes were discovered, is the main *BSD user base at risk?
Keywords: ARE THEY ALL HACKABLE?


If you read the unix security newsgroups or get the cert
mailing list (others too I'm sure) you already know about
this.  If not, read on.

Most SunOS (all except for 5.3) sendmails and most plain BSD sendmails
have this bug.  if you MAIL FROM:|/usr/bin/tail|/bin/sh  and then in the 
DATA give a bugus Return-Receipt-To:|foobar   you can get daemon to do whatever
you want in the last 10 lines of the message.  like cp /bin/sh  /tmp/bugshell
then suid chmod it.  or have it run an xterm for you if you are brave.  :)
The point is that this is unnaceptable and needs fixing if its broken on the
*BSD sendmails. 

Scott Anderson
sander@rush.cc.edu