=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


    Date: Вс, 12 дек 1999  23:31:30

   От: Michal Zalewski <lcamtuf@IDS.PL>

 Кому: BUGTRAQ@SECURITYFOCUS.COM

 Тема: Sendmail 8.x.x - any user may rebuild aliases database

--------------------------------------------------------------------------------




Sendmail up to recent 8.9.x versions - any user may pass -bi parameter to

/usr/sbin/sendmail. This will result in aliases database rebuild. IMHO

there's no reason to allow such things, but no matter - something rather

stupid is done during rebuild:



5366  open("/etc/aliases.db", O_RDWR|O_TRUNC) = 6



What a bad luck! There's approx 0.1 sec delay due to /etc/aliases

processing (on my system). Meantime, luser might deliver any signals

to sendmail process... SIGKILL is quite good. After that, /etc/aliases.db

will be left in unusable state (no EOF marker), causing DoS:



220 Marchew ESMTP Mail Service at nimue.ids.pl ready.

mail from: myself

451 Cannot open hash database /etc/aliases: Invalid argument

rcpt to: lcamtuf

503 Need MAIL before RCPT



Exploit is trivial.



_______________________________________________________________________

Michal Zalewski [lcamtuf@ids.pl] [link / marchew] [dione.ids.pl SYSADM]

[Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};:

[voice phone: +48 22 813 25 86] <=-=> [cellular phone: +48 501 4000 69]

Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]