[AusNOG] New Sendmail hole
Mark Smith
nanog at 85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org
Mon Sep 20 20:33:20 EST 2010
On Mon, 20 Sep 2010 19:54:46 +1000
Lawrence Steven Forster <lawrence.steven.forster at gmail.com> wrote:
> Hi List,
>
> Apparently there is a bug with (ironically) the DEBUG command in
> sendmail where you can pipe command lines in where a recipient address
> is expected. I can confirm SunOS 4 is vulnerable and we have been
> seeing it come in for the last couple of days over both the dial-ins
> and AUSTPAC.
>
> I hope it will be fixed soon; I fear it is only a matter of time
> before some of the more clever crackers leverage bugs like these into
> a kind of autonomous distributed exploit that cracks one host then
> uses that host as a staging point to attack more. Such a thing could
> have terrible consequences for networks and operators everywhere.
>
Indeed. Configured sendmail.cf files can have terrible operator
consequences. It is worth operators performing a sanity check once they
think they've understood them.
> Regards,
>
> --
> ------------------------------------------
> Lawrence Steven Forster
> munnari!googlevax!gmail!lsf
> ------------------------------------------
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
More information about the AusNOG
mailing list