From owner-freebsd-hackers Sat Nov 16 16:26:34 1996 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id QAA29823 for hackers-outgoing; Sat, 16 Nov 1996 16:26:34 -0800 (PST) Received: from super-g.inch.com (spork@super-g.com [204.178.32.161]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id QAA29817; Sat, 16 Nov 1996 16:26:32 -0800 (PST) Received: from localhost (spork@localhost) by super-g.inch.com (8.7.6/8.6.9) with SMTP id SAA13138; Sat, 16 Nov 1996 18:24:55 -0500 Date: Sat, 16 Nov 1996 17:24:55 -0600 (CST) From: "S(pork)" X-Sender: spork@super-g.inch.com To: Karl Denninger cc: freebsd-security@FreeBSD.org, freebsd-hackers@FreeBSD.org Subject: Re: New sendmail bug... In-Reply-To: <199611170017.SAA16884@Jupiter.Mcs.Net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-hackers@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Thanks, also I just installed smrsh on a whim (I'm definetly not a C expert, very very novice here) and smrsh (included in the sendmail dist) takes care of the problem as well... Exploit to follow... Charles On Sat, 16 Nov 1996, Karl Denninger wrote: > > > > It's nasty and easy... If you're on Bugtraq, you saw it. If anyone with > > more knowledge on this issue can check it out, please post to the list so > > everyone can free themselves of this vulnerability. Root in under 15 > > seconds with an account on the machine. If you need the 'sploit, please > > mail me here and I'll send it to you. I verified it on FBSD, NetBSD, > > Linux so far... > > > > TIA > > > > Charles > > Its real - and the fix is two lines inserted in the sighup() handler: > > setgid(RealGid); > setuid(RealUid); > > prior to the exec call. > > -- > -- > Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity > http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service > | 33 Analog Prefixes, 13 ISDN, Web servers $75/mo > Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/ > Fax: [+1 312 248-9865] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal >