From owner-freebsd-security  Sun Nov 17 10:21:29 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id KAA21346
          for security-outgoing; Sun, 17 Nov 1996 10:21:29 -0800 (PST)
Received: from ns1.zns.net (ns1.zygaena.com [206.148.80.3])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id KAA21322
          for <freebsd-security@FreeBSD.org>; Sun, 17 Nov 1996 10:21:18 -0800 (PST)
Received: (from nobody@localhost) by ns1.zns.net (8.7.5/8.7.3) id NAA21285 for <freebsd-security@FreeBSD.org>; Sun, 17 Nov 1996 13:21:22 -0500 (EST)
Received: from selway.i.com(198.30.169.1) by ns1.zns.net via smap (V1.3)
	id sma021283; Sun Nov 17 13:21:07 1996
Received: (from ewb@localhost) by selway.i.com (8.7.3/8.7.3) id NAA09840 for freebsd-security@FreeBSD.org; Sun, 17 Nov 1996 13:20:58 -0500 (EST)
Date: Sun, 17 Nov 1996 13:20:58 -0500 (EST)
From: Will Brown <ewb@zns.net>
Message-Id: <199611171820.NAA09840@selway.i.com>
To: freebsd-security@FreeBSD.org
Subject: Re: new sendmail exploit
Sender: owner-security@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk

Definitely exploitable on Solaris 2.5 (and presumably lower).  As
Wolfgang and others pointed out. Just used bash instead of /bin/sh.
No need to use /tmp either. Heck you could put it in /usr/bin!

Patch to 8.8.2 from Eric Allman seems to work (on Solaris 2.4)
"leshka" prints "501 Permission denied" and "smptd" is not spawned.
Log message: sendmail[17653]: uid 1374 tried to start daemon mode

Sorry for the O/S version discrepancies here. 2.4 machine was most
critical so I patched it first.

--
Will Brown