The standard UNIX vacation program doesn't do enough checking on its input (specifically the From: line in the mail) before sending it to other programs (sendmail) for processing
bukys@CS.ROCHESTER.EDU apparently reported it to CERT & SUN on June 1, 1994 but nothing happened. This vulnerability report is from "Secure Networks Inc." <sni@SILENCE.SECNET.COM>
Run arbitrary commands remotely as the user running vacation
At least some versions of AIX, FreeBSD, NetBSD, and OpenBSD. Other systems if they have installed the vacation program themselves or a different version of sendmail.
1 September 1997
Date: Tue, 2 Sep 1997 00:43:29 -0600
From: "Secure Networks Inc." <sni@SILENCE.SECNET.COM>
Subject: SNI-18: Vacation Vulnerability
X-Premail-Auth: Good signature from user "Secure Networks Inc.
##### ## ## ######
## ### ## ##
##### ## # ## ##
## ## ### ##
##### . ## ## . ###### .
Secure Networks Inc.
September 1, 1997
This advisory addresses a vulnerability in the vacation program which
allows individuals to execute commands remotely on vulnerable systems.
Vacation is used by the recipient of email messages to notify the sender
that they are not currently reading their mail. This is installed by
placing a .forward file into your directory containing a line as follows:
\user, "|/usr/bin/vacation user"
When vacation responds to an incoming message, it invokes the sendmail
command, specifying the address of the sender on the command line. By
specifying a sendmail command line option rather than a valid email
address, it is possible to cause sendmail to be invoked with an
alternate configuration file. This alternate configuration file can
be previously sent to the system via a seperate email message, or via
anonymous FTP. When parsed, this new sendmail configuration file
can cause sendmail to execute arbitrary commands on the remote system.
By specifying the originating address of an email message to consist of
a path to an alternate configuration file (i.e. -C/var/mail/user), the
vacation program will invoke sendmail, and use /var/mail/user as the
configuration file. If the user's mailbox contains valid sendmail
configuration options, sendmail will treat the user's mail spool as a
sendmail configuration file. Sendmail can be induced execute arbitrary
shell commands from its configuration file. Variations on this attack
may be possible using sendmail options other than -C.
Remote individuals can obtain access to the account of any user running
the vacation program.
The following assessments assume that an attacker can utilize the -C
command line option of sendmail to specify an alternate configuration
file and execute commands. Other methods of causing sendmail to
execute commands via command line options may be present.
Operating systems which ship with a vulnerable version of vacation are:
AIX Version 4.2 is vulnerable. Version 4.1 is also vulnerable if
public domain version of sendmail 8 has been installed.
FreeBSD All versions prior to August 28, 1997.
NetBSD All versions prior to NetBSD-current 19970828 are vulnerable.
OpenBSD All versions prior to July 29, 1997
Solaris All versions of Solaris are vulnerable ONLY if a public domain
version of sendmail has been installed, other than Solaris
Linux The two versions of vacation on the sunsite.unc.edu Linux
archive are both vulnerable as of August 5, 1997. Linux
distributions we have verified do not ship with the vacation
HP-UX HP-UX is vulnerable ONLY if a public domain version of
sendmail, other than HP-UX sendmail has been installed.
BSD/OS (BSDI) is NOT vulnerable to this problem.
Silicon Graphics IRIX does NOT APPEAR to be vulnerable to this problem.
Only the version of vacation shipped with AIX 4.2 is vulnerable. The
following APAR will be available soon:
Abstract: "SECURITY: /usr/bin/vacation vulnerability"
AIX 4.1: IX70228
AIX 4.2: IX70233
Until these fixes are applied, the vacation program should be disabled
with the following command (as root):
# chmod -x /usr/bin/vacation
If disabling vacation is not desirable, there is a temporary fix available
via anonymous ftp:
IBM and AIX are registered trademarks of International Business Machines
The version of vacation shipped with HP-UX is vulnerable. This
vulnerability is exploitable by remote users only if the system
administrator has installed a version of sendmail version 8, other
than HP sendmail. HP will be providing a fix in the near future.
The version of vacation shipped with Solaris is vulnerable if a
public domain version of sendmail, other than Solaris sendmail,
has been installed on the system. Sun Microsystems will be
issuing a solution to this problem in the near future.
As a short term workaround, the vacation program be disabled by
changing the permissions as follows:
# chmod -x /bin/vacation
This problem is present in OpenBSD-current prior to August 29, 1997.
Update your vacation sources to the version in -current using anoncvs,
or apply the fix provided below. Then recompile the vacation program.
See http://www.openbsd.org for information about anoncvs.
FreeBSD has corrected this problem in 2.1-stable, 2.2-stable and
3.0-current as of August 28, 1997. The source change described in
this advisory corrects the problem. This problem will be fixed in
the upcoming 2.2.5-RELEASE and 3.0-RELEASE versions of FreeBSD.
This problem is present in NetBSD-current prior to 19970828 and is
fixed in later releases.
Upgrade to a version of NetBSD-current newer than 19970828 or apply
the fix provided below.
Obtain a patched version of vacation at the following location:
To extract the archive when it is in the current directory, issue the
% uncompress vacation.tar
% tar -xvf vacation.tar
Then follow the installation instructions in the README file included
in the archive. Please note that this version of vacation is taken
from BSD sources, and may require modification to work on other
The following patch, suggested independently by Eric Allman and Keith
Bostic, solves the problem.
Note that SNI has *not* verified that sendmail versions other than
sendmail version 8 properly emulate getopt() in their interpretation of
the option "--". If you are applying this patch to an operating system
which ships with a modified or older version of sendmail, you should
verify that the sendmail command-line options which are *not* done
using getopt() do not get parsed if they are preceeded by a '--' option.
The following line:
execl(_PATH_SENDMAIL, "sendmail", "-f", myname, from, NULL);
should be substituted with:
execl(_PATH_SENDMAIL, "sendmail", "-f", myname, "--", from, NULL);
The provided generic fix was suggested by both Eric Allman
<email@example.com> and Keith Bostic <firstname.lastname@example.org>
This problem was discovered by David Sacerdote <email@example.com>,
and verified by David Sacerdote <firstname.lastname@example.org> and
Oliver Friedrichs <email@example.com>.
You can subscribe to our security advisory mailing list by sending
mail to firstname.lastname@example.org, containing the single line
You can find Secure Networks papers at ftp://ftp.secnet.com/pub/papers or
http://www.secnet.com/papers and past advisories at
ftp://ftp.secnet.com/pub/advisories or http://www.secnet.com/advisories
You can contact Secure Networks Inc. at <email@example.com> using
the following PGP key:
Type Bits/KeyID Date User ID
pub 1024/9E55000D 1997/01/13 Secure Networks Inc. <firstname.lastname@example.org>
Secure Networks <email@example.com>
-----BEGIN PGP PUBLIC KEY BLOCK-----
-----END PGP PUBLIC KEY BLOCK-----
The contents of this advisory are Copyright (C) 1997 Secure Networks Inc,
and may be distributed freely in unmodified form provided that no fee is
charged for distribution, and that proper credit is given.
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces: