com (Eric Murray) writes:
# > This "sort of attack" was the basis for the Morris Internet Worm which
# > attracted (inter)national attention a few years back (I always preferred
# > the term "Trojan Horse")
# Um, I thought the sendmail hole the the Morris worm used was
# the infamous 'wizard' mode, where you telnetted into the sendmail port
# and typed 'wizard'. Then sendmail just asked for a password
# and if you provided it, dropped you in to a root shell.
The hole that I recall the worm using was the "DEBUG" hole. If you
issued a "DEBUG" command over the SMTP channel, the server would drop
into (guess what) a debugging mode. Among other things, the debugging
mode disabled the code that prevented remote users from directly
specifying pipes ("|/bin/sh ...") as recipients of messages.
Brent Chapman Great Circle Associates
COM 1057 West Dana Street
+1 415 962 0841 Mountain View, CA 94041