From owner-freebsd-security  Sat Nov 16 20:24:59 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id UAA25631
          for security-outgoing; Sat, 16 Nov 1996 20:24:59 -0800 (PST)
Received: from irbs.irbs.com (jc@irbs.irbs.com [199.182.75.129])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id UAA25624
          for <freebsd-security@FreeBSD.org>; Sat, 16 Nov 1996 20:24:53 -0800 (PST)
Received: (from jc@localhost) by irbs.irbs.com (8.8.2/8.8.0) id XAA09008; Sat, 16 Nov 1996 23:24:33 -0500 (EST)
Message-Id: <199611170424.XAA09008@irbs.irbs.com>
Date: Sat, 16 Nov 1996 23:24:33 -0500
From: jc@irbs.com (John Capo)
To: raistlin@chaos.ecpnet.com (Justen Stepka)
Cc: freebsd-security@FreeBSD.org
Subject: Re: New sendmail bug...
References: <Pine.LNX.3.92.961116165903.12931A-100000@super-g.inch.com> <Pine.LNX.3.93.961116185526.1877A-100000@chaos.ecpnet.com>
X-Mailer: Mutt 0.49-PL10
Mime-Version: 1.0
In-Reply-To: <Pine.LNX.3.93.961116185526.1877A-100000@chaos.ecpnet.com>; from Justen Stepka on Nov 16, 1996 18:56:47 -0600
Sender: owner-security@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk

Quoting Justen Stepka (raistlin@chaos.ecpnet.com):
> 
> I tested this on FBSD and I couldn't get it to work. Though when I tried
> it on Linux it worked in about 10 second :(, currently I have disabled
> accounts on my machines until I fix the problem.
> 

Look at /tmp/sh, you may find it suid root.  Sendmail may not have
had a chance to get the shell copied and suid by the time the
exploit script trys to run /tmp/sh.

John Capo