Sendmail 8.8. dead.letter exploit
|Description:||A hard-link vulnerability|
|Compromise:|| root (local) |
|Vulnerable Systems:||SOME systems running sendmail 8.8. possibly 8.8.5 in some situations. |
|Date:||22 March 1997 |
|Notes:||This doesn't always work, it depends among other things on if they have POSTMASTER of MAIL_DAEMON defined in /etc/aliases. Remember if /var is on another partition, ln to a file in /var ... there are plenty to choose from ;)|
Date: Sat, 22 Mar 1997 02:30:49 -0500
Hello fellow mongoloids
Make hard link of /etc/passwd to /var/tmp/dead.letter
Telnet to port 25, send mail from some bad email address to some
Watch your message get appended to passwd.
cowzilla::0:0:c0wz1ll4 0wns u:/:/bin/sh
This is not good. Worked with my 8.8.4, will probably also work with 8.8.5
Root for the whole family
-Cowzilla the omnipotent b0v1n3
Greets to various #2600 people
Date: Tue, 25 Mar 1997 09:57:47 +0100
From: Claude Scarpelli
Subject: Re: New Sendmail bug
[The following text is in the "iso-8859-1" character set]
[Your display is set for the "US-ASCII" character set]
[Some characters may be displayed incorrectly]
In a mail dated Mar 24, bygranz@RS6000.CMP.ILSTU.EDU (Gonzo Granzeau) wrote:
> Jeffrey Moyer once rambled this:
> > On Sat, 22 Mar 1997 C0WZ1LL4@NETSPACE.ORG wrote:
> > > Hello fellow mongoloids
> > > Try this:
> > > Make hard link of /etc/passwd to /var/tmp/dead.letter
> > > Telnet to port 25, send mail from some bad email address to some
> > > unreacheable hoost.
> > > Watch your message get appended to passwd.
> > > ie:
> > > cowzilla::0:0:c0wz1ll4 0wns u:/:/bin/sh
> okay, just want to point out some things about this exploit...
> this won't work on big boxes that are partitioned cause you can only do a
> hard link on the same file system. another point is that any box that has
> a 'MAILER-DAEMON' defined will get any mail that gets sent there instead
Sometimes, sendmail can't send mail to MAILER-DAEMON. In these case,
the message is stored in /var/tmp/dead.letter.
I have seen it appear in the following configuration :
1) sendmail on the best MX host is configured to refuse mail bigger
than x bytes.
2) sendmail on a lower priority MX host is configured as a null client
(FEATURE(nullclient)), but without the size limit.
3) a big mail (bigger than x bytes) arrives on the host where sendmail
is configured as a null client (the low priority MX host).
Here is what happens then:
4) the null client tries to pass the mail to the best MX, which refuse
it (bigger than x bytes)
5) So the null client tries to bounce back the mail to the
originator. Since it is a null client, it sends the mail to the
best MX host.
6) But the best MX host refuses the mail (bigger than x bytes). So the
null client tries to send a notification to MAILER-DAEMON. Since it
is a null client, it sends this mail to the best MX host, which
refuse it (bigger than x bytes). This a case where sendmail will
write to /var/tmp/dead.letter.
It may exist other ways for sendmail to write in /var/tmp/dead.letter.
Claude Scarpelli | Defenestrate: to exit a window
INFOBIOGEN ::= INFOrmatique appliquée à | onscreen. (Time International
l'étude des BIOmolécules et des GÉNomes | Vol 146, No. 20, Nov 13, 1995)
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: