Sendmail 8.8.[34] dead.letter exploit

Summary
Description:A hard-link vulnerability
Author:C0WZ1LL4@NETSPACE.ORG
Compromise: root (local)
Vulnerable Systems:SOME systems running sendmail 8.8.[34] possibly 8.8.5 in some situations.
Date:22 March 1997
Notes:This doesn't always work, it depends among other things on if they have POSTMASTER of MAIL_DAEMON defined in /etc/aliases. Remember if /var is on another partition, ln to a file in /var ... there are plenty to choose from ;)
Details

Exploit: 
Date: Sat, 22 Mar 1997 02:30:49 -0500
From: C0WZ1LL4@NETSPACE.ORG
To: BUGTRAQ@NETSPACE.ORG

Hello fellow mongoloids
Try this:
Make hard link of /etc/passwd to /var/tmp/dead.letter
Telnet to port 25, send mail from some bad email address to some 
unreacheable hoost.
Watch your message get appended to passwd.
ie:
cowzilla::0:0:c0wz1ll4 0wns u:/:/bin/sh

This is not good.  Worked with my 8.8.4, will probably also work with 8.8.5
Root for the whole family

-Cowzilla the omnipotent b0v1n3
PD
Greets to various #2600 people


Date: Tue, 25 Mar 1997 09:57:47 +0100
From: Claude Scarpelli 
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: New Sendmail bug

    [The following text is in the "iso-8859-1" character set]
    [Your display is set for the "US-ASCII" character set]
    [Some characters may be displayed incorrectly]

In a mail dated Mar 24, bygranz@RS6000.CMP.ILSTU.EDU (Gonzo Granzeau) wrote:
> Jeffrey Moyer once rambled this:
> > On Sat, 22 Mar 1997 C0WZ1LL4@NETSPACE.ORG wrote:
> >
> > > Hello fellow mongoloids
> > > Try this:
> > > Make hard link of /etc/passwd to /var/tmp/dead.letter
> > > Telnet to port 25, send mail from some bad email address to some
> > > unreacheable hoost.
> > > Watch your message get appended to passwd.
> > > ie:
> > > cowzilla::0:0:c0wz1ll4 0wns u:/:/bin/sh
>
> okay, just want to point out some things about this exploit...
> this won't work on big boxes that are partitioned cause you can only do a
> hard link on the same file system.  another point is that any box that has
> a 'MAILER-DAEMON' defined will get any mail that gets sent there instead 
of it

Sometimes, sendmail can't send mail to MAILER-DAEMON. In these case,
the message is stored in /var/tmp/dead.letter.

I have seen it appear in the following configuration :

1) sendmail on the best MX host is configured to refuse mail bigger
   than x bytes.

2) sendmail on a lower priority MX host is configured as a null client
   (FEATURE(nullclient)), but without the size limit.

3) a big mail (bigger than x bytes) arrives on the host where sendmail
   is configured as a null client (the low priority MX host).

Here is what happens then:

4) the null client tries to pass the mail to the best MX, which refuse
   it (bigger than x bytes)

5) So the null client tries to bounce back the mail to the
   originator. Since  it is a null client, it sends the mail to the
   best MX host.

6) But the best MX host refuses the mail (bigger than x bytes). So the
   null client tries to send a notification to MAILER-DAEMON. Since it
   is a null client, it sends this mail to the best MX host, which
   refuse it (bigger than x bytes). This a case where sendmail will
   write to /var/tmp/dead.letter.

It may exist other ways for sendmail to write in /var/tmp/dead.letter.


--
-----------------------------------------------------------------------------
-
Claude Scarpelli                        | Defenestrate: to exit a window
INFOBIOGEN ::= INFOrmatique appliquée à | onscreen. (Time International
l'étude des BIOmolécules et des GÉNomes | Vol 146, No. 20, Nov 13, 1995)
More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: