Date: Sat, 28 Sep 1996 01:33:07 -0400 (EDT) From: Brian Tao <taob@io.org> To: "reality." <batsy@io.org> Cc: security@FreeBSD.org Subject: Re: Exploit for sendmail security hole (version 8.6.12 for FreeBSD Message-ID: <Pine.NEB.3.92.960928012530.10171Q-100000@zap.io.org> In-Reply-To: <199609262324.BAA24530@matrix.wg.camelot.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 27 Sep 1996, Stefan Zehl wrote:
>
> I could not confirm the following for FreeBSD2.1.0R while running NIS,
> i will try on a non-NIS machine tomorrow, but i think it might be
> of interest anyway :)
>
> : /* Hi ! */
> : /* This is exploit for sendmail bug (version 8.6.12 for FreeBSD 2.1.0). */
> : /* If you have any problems with it, send letter to me. */
> : /* Have fun ! */
This exploit may be limited to 8.6.x... a 2.1.0-RELEASE system
upgraded to 8.7.5 does not appear to be vulnerable.
% ./a.out
chfn: rebuilding the database...
chfn: done
Bus error
See result in /tmp
% ls -l /tmp
total 18
-rwxr-xr-x 1 taob nogroup 8828 Sep 28 01:24 a.out
-rwxr-xr-x 1 taob nogroup 43 Sep 28 01:24 hack
-rw-r--r-- 1 taob staff 2686 Sep 28 01:23 sroot.c
-rw-r--r-- 1 taob nogroup 383 Sep 28 01:24 user.inf
% uname -v
FreeBSD 2.1.0-RELEASE #0: Thu May 2 18:53:14 EDT 1996
taob@cabal.net5a.io.org:/src/2.1.0-RELEASE/sys/compile/MAIL
% telnet localhost smtp
Trying 127.0.0.1...
Connected to localhost.io.org.
Escape character is '^]'.
220 post.io.org ESMTP Sendmail 8.7.5/8.7.3; Sat, 28 Sep 1996 01:27:20 -0400 (EDT)
--
Brian Tao (BT300, taob@io.org, taob@ican.net)
Senior Systems and Network Administrator, Internet Canada Corp.
"Though this be madness, yet there is method in't"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.92.960928012530.10171Q-100000>