[152] in bugtraq
Re: udp packet storms - ping death
daemon@ATHENA.MIT.EDU (Michael Neuman)
Thu Nov 3 00:57:39 1994
To: perry@imsi.com
Date: Wed, 2 Nov 1994 21:34:55 -0700 (MST)
From: "Michael Neuman" <mcn@c3serve.c3.lanl.gov>
Cc: chowes@helix.net, bugtraq@fc.net, ciac@ciac.llnl.gov, cert@cert.org
In-Reply-To: <9411021904.AA07880@snark.imsi.com> from "Perry E. Metzger" at Nov 2, 94 02:04:32 pm
Perry Metzger says:
> Charles Howes says:
> > > Our copy of ping is installed setuid root; ...
> >
> > So you mean that any student at princeton can panic any Sun there just by
> > typing that command? Cool...
>
> There are already so many ways to panic suns from userland...
Here's a complete waste of bandwidth and everyone's time... Name as many
ways to remotely panic a Sun that you know of, Perry, or don't fill the
ether with this worthless drivel.
ObBug: By default, newaliases creates the aliases database files mode 666.
This means any user can, by hand, insert the "|uudecode" (or any other alias)
simply by replacing one of the entries in the database file. Sendmail
(newaliases is just a link to sendmail usually) 8.6.x isn't vulnerable to
this, but most are. Here's the problem:
(sendmail:newaliases.c -- "@(#)newaliases.c 5.4 (Berkeley) 6/1/90")
(void) strcpy(dirbuf, aliases);
(void) strcat(dirbuf, ".dir");
(void) strcpy(pagbuf, aliases);
(void) strcat(pagbuf, ".pag");
f = creat(dirbuf, 0666);
if (f < 0) {
perror(dirbuf);
exit(1);
}
(void)close(f);
To test this, remove your aliases.pag and aliases.dir and run
'newaliases'. If the files reappear as 666, your sendmail is vulnerable.
The default Sun 4.1.3_U1 sendmail is vulnerable and at the time I sent it
in, Unicos sendmail was also vulnerable, as well as others, I'm sure.
BTW: I sent this to CERT and CIAC over a year ago, and it doesn't appear
to be fixed yet (at least not by Sun).
-Mike
(no longer an employee of LANL--I speak for myself)
CERT/CIAC: If you want a writeup and exploitation scripts, I can send
them to you again...
