From owner-freebsd-security  Thu Sep 10 06:53:30 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id GAA27192
          for freebsd-security-outgoing; Thu, 10 Sep 1998 06:53:30 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from ns0.fast.net.uk (ns0.fast.net.uk [194.207.104.1])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA27187
          for <freebsd-security@FreeBSD.ORG>; Thu, 10 Sep 1998 06:53:24 -0700 (PDT)
          (envelope-from netadmin@fastnet.co.uk)
Received: from na.nu.na.nu (bofh.fast.net.uk [194.207.104.22])
	by ns0.fast.net.uk (8.9.0/8.8.7) with ESMTP id OAA28973
	for <freebsd-security@FreeBSD.ORG>; Thu, 10 Sep 1998 14:53:12 +0100 (BST)
Received: from bofh.fast.net.uk (bofh.fast.net.uk [194.207.104.22])
	by na.nu.na.nu (8.8.8/8.8.8) with SMTP id OAA01639
	for <freebsd-security@FreeBSD.ORG>; Thu, 10 Sep 1998 14:53:10 +0100 (BST)
	(envelope-from netadmin@fastnet.co.uk)
Date: Thu, 10 Sep 1998 14:53:10 +0100 (BST)
From: Jay Tribick <netadmin@fastnet.co.uk>
X-Sender: netadmin@bofh.fast.net.uk
To: freebsd-security@FreeBSD.ORG
Subject: Re: Err.. cat exploit.. (!)
In-Reply-To: <3.0.3.32.19980910084313.011f48f0@207.227.119.2>
Message-ID: <Pine.BSF.3.96.980910145120.408m-100000@bofh.fast.net.uk>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


| >Was just having a look in /var/log the other day and spotted
| >a file called sendmail.st, wondering what it was I cat'd it
| >and here's what it did:
| >
| >bofh$ cat sendmail.st 
| >`ay5habf33*`ma}`)`Jj]:        Jsu-2.01$ xtermxterm
| >su: xtermxterm: command not found
| >bofh$ 
| >
| >This seems quite scarey to me, couldn't someone embed 'rm -rf /'
| >within a text file and then, if root cats the file it nukes
| >their system?
| >
| >Here's an 'od' dump of the file, unfortunately I don't have the
| >time to investigate this further:
| >
| >bofh$ od sendmail.st  
| --snip--
| 
| It is a binary file.
| 
| The sendmail.st file is used for mailer stats for sendmail ala mailstats:
| 
| # mailstats
| Statistics from Thu Sep  3 05:10:01 1998
|  M   msgsfr  bytes_from   msgsto    bytes_to  msgsrej msgsdis  Mailer
|  3     2060       6227K       45         60K        0       0  local
|  5        0          0K     2073       6207K        0       0  esmtp
| =============================================================
|  T     2060       6227K     2118       6267K        0       0
| 
| Terminals don't like it when you cat a binary.

It's not the fact that it was a binary that puzzled me but that
it had managed to execute a command on the shell just by me
cat'ing the file. Forgot to mention that it was in an xterm
and doesn't affect Virtual Consoles.

Regards,

Jay Tribick <netadmin@fastnet.co.uk>
--
[| Network Admin | FastNet International | http://fast.net.uk/ |]
[| Finger netadmin@fastnet.co.uk for contact info & PGP PubKey |]
[|   +44 (0)1273 T: 677633 F: 621631 e: netadmin@fast.net.uk   |]



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message