> This *IS* not the complete exploit. There was a crucial step to the exploit
> that was left out. I do think the person who dumped the above to IRC
> intentionally left the step out.
I think anyone who has played with sendmail could figure out the step.
All you need to do is send a message to a correct address, before trying
to send to '| sed...'.
This hole seems to work on Sun4.1.x only as far as I can tell.
I have tested in various systems with administrator's permissions.
> I have written exploit code that will exploit the bug and listen on a port
> and spawn a shell upon connection.
Gee, that would be hard. I think the popular way of getting shell quickly
was to execute a command like: echo "+ +" > /usr/bin/.rhosts.
then anyone could rsh hostname -l bin /bin/csh -bif. Not only does that
get you in, it leaves no trace in utmp,wtmp,lastlog.
This is common knowledge among security experts.
> (This is very bad for those firewalls who do not block non-priv ports)
Having this hole is bad for anyone. If you were some industrial spy
, you could easily write a script to search for all the src code on
the machine and mail it back to you. That might not be as bad as getting
shell on the machine, but potential just as bad.
> If the exploit or the missing step *IS* leaked, I will publish my exploit
> code to the world. Undoubtably, this should answer the question of: Do we
> post the exploit or not (As hundreds of sites are penetrated by hackers)
Posting it will only give administrators a chance to test their systems
since CERT seems to think that hackers are actively using this bug anyways.
Christopher William Klaus
Internet: gt6468c @
edu coup @
edu cklaus @
26468 GaTech Station, Atlanta Georgia, 30332 (404)-206-1513