IT Baseline Protection Manual - The Information Warfare Site

Threats Catalogue Deliberate Acts Remarks
____________________________________________________________________ .........................................
T 3.11 Improper configuration of sendmail
Errors in the configuration or software of sendmail have repeatedly led to
security leaks in the affected IT systems in the past (typically: Internet worm).
Example:
Through various publications it has become known that it is possible to obtain
user IDs and group IDs which are set with the options u and g (normally
daemon). To do this a pipe has to be indicated in the address fiels (From:) so
that the mail is sent back. In the mail itself an error message has to be
generated. Therefore, if you send an E mail containing
cp/bin/sh/tmp/sh
chmod oug + rsx/tmp/sh
to an unknown recipient and use '/bin/sh' as the sender address, that message
will be returned as undeliverable which, in this case, is equivalent to the
execution of a small shell-script. By means of this script, a shell with a set
suid bit will be generated which has the user and group ID defined in
sendmail.cf.
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000