[4210] in bugtraq
Re: New Sendmail bug
daemon@ATHENA.MIT.EDU (Claude Scarpelli)
Tue Mar 25 10:27:26 1997
Date: Tue, 25 Mar 1997 09:57:47 +0100
Reply-To: Claude Scarpelli <claude@INFOBIOGEN.FR>
From: Claude Scarpelli <claude@INFOBIOGEN.FR>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199703241617.KAA85670@rs6000.cmp.ilstu.edu>; from Gonzo Granzeau
on Mar 24, 1997 10:17:05 -0600
In a mail dated Mar 24, bygranz@RS6000.CMP.ILSTU.EDU (Gonzo Granzeau) w=
rote:
> Jeffrey Moyer once rambled this:
> > On Sat, 22 Mar 1997 C0WZ1LL4@NETSPACE.ORG wrote:
> >
> > > Hello fellow mongoloids
> > > Try this:
> > > Make hard link of /etc/passwd to /var/tmp/dead.letter
> > > Telnet to port 25, send mail from some bad email address to some
> > > unreacheable hoost.
> > > Watch your message get appended to passwd.
> > > ie:
> > > cowzilla::0:0:c0wz1ll4 0wns u:/:/bin/sh
>
> okay, just want to point out some things about this exploit...
> this won't work on big boxes that are partitioned cause you can only =
do a
> hard link on the same file system. another point is that any box tha=
t has
> a 'MAILER-DAEMON' defined will get any mail that gets sent there inst=
ead of it
Sometimes, sendmail can't send mail to MAILER-DAEMON. In these case,
the message is stored in /var/tmp/dead.letter.
I have seen it appear in the following configuration :
1) sendmail on the best MX host is configured to refuse mail bigger
than x bytes.
2) sendmail on a lower priority MX host is configured as a null client
(FEATURE(nullclient)), but without the size limit.
3) a big mail (bigger than x bytes) arrives on the host where sendmail
is configured as a null client (the low priority MX host).
Here is what happens then:
4) the null client tries to pass the mail to the best MX, which refuse
it (bigger than x bytes)
5) So the null client tries to bounce back the mail to the
originator. Since it is a null client, it sends the mail to the
best MX host.
6) But the best MX host refuses the mail (bigger than x bytes). So the
null client tries to send a notification to MAILER-DAEMON. Since it
is a null client, it sends this mail to the best MX host, which
refuse it (bigger than x bytes). This a case where sendmail will
write to /var/tmp/dead.letter.
It may exist other ways for sendmail to write in /var/tmp/dead.letter.
--
-----------------------------------------------------------------------=
-------
Claude Scarpelli | Defenestrate: to exit a windo=
w
INFOBIOGEN ::=3D INFOrmatique appliqu=E9e =E0 | onscreen. (Time Interna=
tional
l'=E9tude des BIOmol=E9cules et des G=C9Nomes | Vol 146, No. 20, Nov 13=
, 1995)
