Previously, Dr. Frederick B. Cohen wrote:
> [and somebody else wrote]
> [questions about when and why the ident sendmail exploit works sometimes
and not other times]
> > I have tried every test I can think of to figure out why the
> > nobody account worked and fc didn't, and I can find no sensible reason...
I had some similar questions, and the answer seems to be this: depending
your sendmail.cf file, sendmail may process smtp requests immediately, or
it may stick them in the queue to be handled sometime later. (Depending on
the setting of Od and the machine loading when the message is received over
smtp.) If the message is processed immediately (background mode) everything
appears to be handled correctly. When it gets queued up and processed later
is when you have the problems.
This makes some sense I think. What appears to be happening is $_ is
getting newlines and various bad things in it. As long as the mail is
processed immediately, these things are just a part of $_ which only show
up in the header of the delivered mail. When this is written out to the
queue file (qf*) things get messy. The queue file is read back in later
and sendmail is now fooled by the newlines. Putting neat stuff in like
R<"|/some/command and args"> works. You can almost avoid that if you're
running smrsh or something as your Mprog, but the mildly clever hacker can
get around it by just redefining Mprog. (Mlocal as well for that matter.)
The same idea pretty much holds for abusing the -p command line option.
I suppose the same may hold for things like -oM, -f, or $FULLNAME, but I
never really checked those out.
> > While we are talking, I have been trying to get a copy of the
> > attack code to be able to provide tests from here (rather than always
> > sending the requests to Hobbit's machine). Do you have a copy I could
> > put here to allow users to test more directly?
> No, I don't. You could try asking Hobbit for it.
Since this is pretty damn well known already, and since I felt slightly
disappointed by Niel's and Karl's change of position on full disclosure, I'll
send along a couple of quick hacks.
There are two progs attached, both very short. You should be sure to read
them carefully and make sure you understand them before you run them. They
are not quite as innocuous as Hobbit's example. They also may need slight
modifications depending on your system. They should work on 4.1.x as is,
but your mileage will vary depending on the location of your inetd and such.
The first is a replacement for identd. Compile it and add the appropriate
line to your /etc/inetd.conf and be sure to kick inetd with a kill -HUP.
Then just telnet to your smtp port and fire away whatever test message you
want. Or if you want to test a different system just mail something there.
Make sure you know what you're looking for on the target system, and don't
forget to kill off anything unwanted that starts-up there.
The second is real self explanatory.
Learn, enjoy, and fix your security.
Michael R. Widner
[ Code deleted; Firewalls mailing list policy is that cracking code
should NOT be posted to the list. -Brent ]
Michael R. Widner