From owner-freebsd-security  Sat Sep 28 00:33:03 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id AAA29895
          for security-outgoing; Sat, 28 Sep 1996 00:33:03 -0700 (PDT)
Received: from mailhub.aros.net (mailhub.aros.net [205.164.111.17])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id AAA29858
          for <security@freebsd.org>; Sat, 28 Sep 1996 00:33:01 -0700 (PDT)
Received: from fluffy.aros.net (fluffy.aros.net [205.164.111.2]) by mailhub.aros.net (8.7.6/Unknown) with ESMTP id BAA10797; Sat, 28 Sep 1996 01:32:59 -0600 (MDT)
Received: from fluffy.aros.net (localhost [127.0.0.1]) by fluffy.aros.net (8.7.6/8.6.12) with ESMTP id BAA13246; Sat, 28 Sep 1996 01:32:57 -0600 (MDT)
Message-Id: <199609280732.BAA13246@fluffy.aros.net>
To: Brian Tao <taob@io.org>
cc: security@freebsd.org
Subject: Re: Exploit for sendmail security hole (version 8.6.12 for FreeBSD 
In-reply-to: Your message of "Sat, 28 Sep 1996 01:33:07 EDT."
             <Pine.NEB.3.92.960928012530.10171Q-100000@zap.io.org> 
Date: Sat, 28 Sep 1996 01:32:57 -0600
From: Dave Andersen <angio@aros.net>
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk



  The exploit is limited to 8.6.x in its present incarnation, but the bug
is most definitely not - the bus error you generated is a fairly good
indicator of that.

   Most likely, the exploit could be tuned to hit 8.7.5 by changing
the offset it uses.  I haven't played around with it enough to really
tell.

   In any event, upgrading to 8.7.6 is A Good Thing - the latest
-current and -stable distributions are already upgraded (and have been
since 2 days after the bug was publicized).

   -Dave

>     This exploit may be limited to 8.6.x... a 2.1.0-RELEASE system
> upgraded to 8.7.5 does not appear to be vulnerable.
> 
> % ./a.out
> chfn: rebuilding the database...
> chfn: done
> Bus error
> See result in /tmp
> 
> % ls -l /tmp
> total 18
> -rwxr-xr-x  1 taob  nogroup   8828 Sep 28 01:24 a.out
> -rwxr-xr-x  1 taob  nogroup     43 Sep 28 01:24 hack
> -rw-r--r--  1 taob  staff     2686 Sep 28 01:23 sroot.c
> -rw-r--r--  1 taob  nogroup    383 Sep 28 01:24 user.inf
> 
> % uname -v
> FreeBSD 2.1.0-RELEASE #0: Thu May  2 18:53:14 EDT 1996
> taob@cabal.net5a.io.org:/src/2.1.0-RELEASE/sys/compile/MAIL
>