Sendmail .forward Arbitrary Non-root Command Execution

1989-01-25T04:29:25
ID OSVDB:16647
Type osvdb
Reporter OSVDB
Modified 1989-01-25T04:29:25

Description

Vulnerability Description

Sendmail contains a flaw that may allow a local attacker to gain increased privileges. The flaw can be exploited by creating a custom .forward file that calls a program to create a SUID shell before connecting to the SMTP port (25) and sending yourself mail from the user you want to invoke the shell as. This will work for any user on the system except root.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

Sendmail contains a flaw that may allow a local attacker to gain increased privileges. The flaw can be exploited by creating a custom .forward file that calls a program to create a SUID shell before connecting to the SMTP port (25) and sending yourself mail from the user you want to invoke the shell as. This will work for any user on the system except root.

References:

Other Advisory URL: http://bau2.uibk.ac.at/matic/buglist.htm Generic Informational URL: http://web.mit.edu/afs/sipb/project/beacon-src/sendmail/sendmail.5.61/