Esix Rev D. support, potential security hole
James Van Artsdalen
james at bigtex.cactus.org
Sat Nov 17 04:42:54 AEST 1990
In <1990Nov14.044234.7615 at msuinfo.cl.msu.edu>, conklin at frith.uucp
(Terry Conklin) wrote:
> Let's get the security hole out of the way first. ESIX Revision D
> 'fails' the security test given in the June issue of Unix/World of
> checking for strings in /usr/lib/sendmail's binary. Apparently, ESIX not
> only still has the 'debug' id still in their sendmail, but they
> also have a questionable string right after, 'wiz.'
Sigh. Did you actually manage to break sendmail? Please *test* a
hypothesis before accusing someone of something. There's nothing
wrong with the debug command. The so-called "debug" hole was actually
in recipient.c. The beginner's fix is to remove "debug" - the correct
fix is the remove the bug itself!
Just removing the "debug" command probably leaves open clever attacks
based on the "-bs -d1-99.99" options, or based on the smtp queue.
Neither method uses the "debug" command, but both attack the bug.
As far as the "wiz" string, that's in the binary if wizard mode is on
or off. You get an error message if wizard mode is disabled in the
source:
/usr3/src/sendmail/src> ./sendmail -bs
220 bigtex.cactus.org Sendmail 5.59/smail2.5/04-14-88 ready at Fri, 16 Nov 90 11:33:55 CST
wiz
500 You wascal wabbit! Wandering wizards won't win!
quit
221 bigtex.cactus.org closing connection
/usr3/src/sendmail/src>
--
James R. Van Artsdalen james at bigtex.cactus.org "Live Free or Die"
Dell Computer Co 9505 Arboretum Blvd Austin TX 78759 512-338-8789
More information about the Comp.unix.sysv386
mailing list