The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #251 [rmail] (1 message, 667 bytes)
SOURCE: http://securitydigest.org/exec/display?f=phage/archive/251.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT

From: Tim Seaver <tas@mcnc.org>
To: phage
Date: Mon 13:49:11 14/11/1988 EST
Subject: rmail
References: [Thread Prev: 250] [Thread Next: 252] [Message Prev: 250] [Message Next: 252]

>Date: Fri, 11 Nov 88 17:51:58 PST
>From: ames!pyramid.pyramid.com!csg@ea.ecn.purdue.edu (Carl S. Gutekunst)
>To: phage@purdue.edu
	...
>Romain pointed out that rmail's use of popen was highly questionable; we took
>care of that, too, although we couldn't come up with a way to propogate the
>worm by that means. (Uux eats all the characters that make popen() dangerous.)

The way you get rmail to exploit the popen call is by setting up
the appropriate uucp "From " line. The second word of the line
is passed as the "-fsender" argument to sendmail through the popen
call. Uux doesn't process the text of a message, so you can pass along
whatever shell metacharacters you wish to play games with. This hole
is indepenent of sendmail debug mode, so the popen really does need to go.


	Tim Seaver
	Systems Programmer
	Microelectronics Center of North Carolina

	tas@mcnc.org

END OF DOCUMENT