[22388] in bugtraq
Re: Another sendmail exploit [local root compromise]
daemon@ATHENA.MIT.EDU (Michael Kjorling)
Thu Aug 23 10:33:44 2001
Date: Thu, 23 Aug 2001 09:33:44 +0200 (CEST)
From: Michael Kjorling <michael@kjorling.com>
To: Bugtraq <bugtraq@securityfocus.com>
In-Reply-To: <Pine.BSO.4.33.0108230438100.29605-200000@disorder.grange.ru>
Message-ID: <Pine.LNX.4.33.0108230920350.8982-100000@varg.wolfpack>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sendmail 8.11.4 on Red Hat 6.2 and kernel 2.2.18 confirmed vulerable
to this local root exploit with mail's shell both blank (meaning
/bin/bash) and /usr/sbin/smrsh 8.11 (Berkeley) 5/19/1998. I got dumped
into a root bash shell both times when starting this program as an
ordinary user. Sendmail 8.11.6 on same platform is confirmed *not* to
be vulerable under the same two setups (with and without smrsh). smrsh
with 8.11.6 does not have an explicit version number but mentions
@(#)$Id: smrsh.c,v 8.31.4.9 2001/04/24 04:11:51 ca Exp $.
Is this the command line processing but mentioned at
http://www.sendmail.org/8.11.html?
Michael Kjörling
On Aug 23 2001 04:40 +0400, Alexander Yurchenko wrote:
> Here's an another sendmail exploit for linux x86.
>
> Alexander Yurchenko aka grange
- --
Michael Kjörling - michael@kjorling.com - PGP: 8A70E33E
Manager Wolf.COM -- Programmer -- Network Administrator
"We must be the change we wish to see" (Mahatma Gandhi)
^..^ Support the wolves in Norway -- go to ^..^
\/ http://home.no.net/ulvelist/protest_int.htm \/
***** Please only send me emails which concern me *****
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For my PGP key: http://michael.kjorling.com/contact/pgp.html
iD8DBQE7hLHfKqN7/Ypw4z4RAnclAJsEAoj0h7SKvLpyYBttCwXPAP5pJACfdysX
7y05P5ILqXr2E+aRRkW6Ev4=
=uf78
-----END PGP SIGNATURE-----
