[4199] in bugtraq
Re: New Sendmail bug
daemon@ATHENA.MIT.EDU (Gonzo Granzeau)
Mon Mar 24 15:40:42 1997
Date: Mon, 24 Mar 1997 10:17:05 -0600
Reply-To: Gonzo Granzeau <bygranz@RS6000.CMP.ILSTU.EDU>
From: Gonzo Granzeau <bygranz@RS6000.CMP.ILSTU.EDU>
X-To: phro@SEGFAULT.RES.WPI.EDU
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.95.970324084000.13931B-100000@segfault.res.WPI.EDU>
from "Jeffrey Moyer" at Mar 24, 97 08:44:07 am
Jeffrey Moyer once rambled this:
> On Sat, 22 Mar 1997 C0WZ1LL4@NETSPACE.ORG wrote:
>
> > Hello fellow mongoloids
> > Try this:
> > Make hard link of /etc/passwd to /var/tmp/dead.letter
> > Telnet to port 25, send mail from some bad email address to some
> > unreacheable hoost.
> > Watch your message get appended to passwd.
> > ie:
> > cowzilla::0:0:c0wz1ll4 0wns u:/:/bin/sh
okay, just want to point out some things about this exploit...
this won't work on big boxes that are partitioned cause you can only do a
hard link on the same file system. another point is that any box that has
a 'MAILER-DAEMON' defined will get any mail that gets sent there instead of it
saving it to /var/tmp/dead.letter, ie, make an /etc/aliases file that defines
a MAILER-DAEMON. for instance, i add these two to my /etc/aliases:
MAILER-DAEMON:gonzo
postmaster:gonzo
then you just type 'newaliases' and you're good to go. (postmaster is a
general good idea) course then you have to deal with ppl's messed up mail...
> Okay, here is a very very simple kluge to temporarily fix it. Create a
> file /var/tmp/dead.letter with chmod 0644 perms. That way no one can make
> the hard link to /etc/passwd, b/c the file /var/tmp/dead.letter already
> exists.
that would help out cause you could see who was trying to break into your
system, but that is not an agreeable solution.
gonzo
--
+----R-----------------T---------------------F------------------M---+
| Gonzo Granzeau http://www.ilstu.edu/~bygranz Unix Support `8r) |
| "Let's go get tatoos!!" "uh... okay." |
| Nothing I (/usr/dict/words) has to do with Unix Support |
