[13033] in bugtraq
Re: procmail / Sendmail - five bugs
daemon@ATHENA.MIT.EDU (Rob Jones)
Tue Dec 21 16:21:35 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <385EF644.ECA0F8CD@cwo.com.au>
Date: Tue, 21 Dec 1999 14:38:44 +1100
Reply-To: Rob Jones <robert.e.jones@CWO.COM.AU>
From: Rob Jones <robert.e.jones@CWO.COM.AU>
X-To: Michal Zalewski <lcamtuf@IDS.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
> a) Sendmail (tested with 8.9.3 and previous) allows you to put mail
> addressed to eg. '|/bin/sh' (or any file) into mail queue. Fortunately,
> this queue file should contain also line like 'Croot' to be processed
> properly, while we have no idea how to put it there. But, anyway,
> seems to be dangerous - Sendmail should reject such crap immediately:
>
> /usr/sbin/sendmail -O 'DeliveryMode=d' '""|/bin/sh'
>
> (without these double-quotes, it _will_ immediately drop your message)
with or without these double-quotes the message is immediately dropped
on redhat linux with the message
[rob@greedo rob]$ /usr/sbin/sendmail -O 'DeliveryMode=d' '""|/bin/sh'
""|/bin/sh... User unknown
[rob@greedo rob]$ /usr/sbin/sendmail -O 'DeliveryMode=d' '|/bin/sh'
|/bin/sh... Cannot mail directly to programs
Same hapens if I am root or try remotely.
Rob
