Date: Thu, 2 Nov 2000 18:09:12 +0300 From: Vladimir Dubrovin <vlad@sandy.ru> To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> Cc: freebsd-security@FreeBSD.ORG Subject: Re[2]: vulnerability in mail.local (fwd) Message-ID: <14381494372.20001102180912@sandy.ru> In-Reply-To: <200011021428.eA2ESvl34243@cwsys.cwsent.com> References: <200011021428.eA2ESvl34243@cwsys.cwsent.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello Cy Schubert - ITSD Open Systems Group,
02.11.00 17:28, you wrote: vulnerability in mail.local (fwd);
>> mail.local(8) is no longer installed as a set-user-id binary.
C> I would think that there is still a non-privileged user exploit.
Under FreeBSD mail.local always invoked from sendmail. Sendmail
doesn't allow addresses like this:
Nov 2 17:54:07 adm sendmail[19467]: RAA19467: from=|/sbin/reboot@sandy.ru, size
=70, class=0, pri=30070, nrcpts=1, msgid=<200011021453.RAA19467@xxx.xxx.ru>
, proto=SMTP, relay=xxx.xxx.ru [192.168.1.40]
Nov 2 17:54:07 adm sendmail[19540]: RAA19467: to=vlad@sandy.ru, delay=00:00:40,
xdelay=00:00:00, mailer=fastsmtp, relay=xxx.xxx.ru [192.168.1.5], stat=
Data format error
Nov 2 17:54:07 adm sendmail[19540]: RAA19467: RAA19540: DSN: Data format error
all MUAs like "mail" use sendmail instead of mail.local even in case of local user.
--
Vladimir Dubrovin Sandy, ISP
Sandy CCd chief Customers Care dept
http://www.sandy.ru Nizhny Novgorod, Russia
http://www.security.nnov.ru
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14381494372.20001102180912>