Great Circle Associates Firewalls
(March 1994)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Hey the crackers have a new twist 8-(.
From: Brent Chapman <brent @ mycroft . GreatCircle . COM>
Date: Sat, 26 Mar 1994 13:06:13 -0800
To: ericm @ MicroUnity . com (Eric Murray)
Cc: Firewalls @ GreatCircle . COM
In-reply-to: Your message of Sat, 26 Mar 94 11:32:42 PST

ericm @
 MicroUnity .
 com (Eric Murray) writes:

# > This "sort of attack" was the basis for the Morris Internet Worm which
# > attracted (inter)national attention a few years back (I always preferred
# > the term "Trojan Horse")
# 
# Um, I thought the sendmail hole the the Morris worm used was
# the infamous 'wizard' mode, where you telnetted into the sendmail port
# and typed 'wizard'.  Then sendmail just asked for a password
# and if you provided it, dropped you in to a root shell.

The hole that I recall the worm using was the "DEBUG" hole.  If you
issued a "DEBUG" command over the SMTP channel, the server would drop
into (guess what) a debugging mode.  Among other things, the debugging
mode disabled the code that prevented remote users from directly
specifying pipes ("|/bin/sh ...") as recipients of messages.


-Brent
--
Brent Chapman                                   Great Circle Associates
Brent @
 GreatCircle .
 COM                           1057 West Dana Street
+1 415 962 0841                                 Mountain View, CA  94041

Indexed By Date Previous: Re: Hey the crackers have a new twist 8-(.
From: Icarus Sparry <ccsis @ ss1 . bath . ac . uk>
Next: Re: Hey the crackers have a new twist 8-(.
From: Ian Dunkin <imd1707 @ ggr . co . uk>
Indexed By Thread Previous: Re: Hey the crackers have a new twist 8-(.
From: Brent Chapman <brent @ mycroft . GreatCircle . COM>
Next: Re: Hey the crackers have a new twist 8-(.
From: "marcus (m.d.) leech" <mleech @ bnr . ca>

Google
 
Search Internet Search www.greatcircle.com