Re: Crackers and Worms


Rick Adams (rick@seismo.css.gov)
9 Nov 88 21:13:43 GMT


In article <1242@ucsd.EDU>, hutch@net1.ucsd.edu (Jim Hutchison) writes:
> I'm not presuming they were ignored. *Many* people have been aware of this
> particular sendmail bug. That was not the purpose of the article. The fact
> is, that bugs happen. This was a sendmail & finger bug. Before, it was
> an ftp bug (and a cute one that was). Before that, ...

I have not been able to find ONE person who claims to
have known that sendmail compiled with DEBUG on would have allowed
anyone with SMTP access to run an arbitrary program on their machine.

Yet I keep hearing that "*Many*" people were aware of it. Lots of
people knew that sendmail had a debug mode, but I still haven't found one
that will admit that they knew you could run an arbitrary program.
The ability to run the program is the bug, not the fact that sendmail
has a debug mode.

The fact that you can run an arbitrary program is such an obvious
security hole that I can't believe anyone wouldn't report it if they knew.

So, name 5 of these many people and I'll drop the issue. (I WILL ask
them why they didn't think it was worth sending to Berkeley as a bug)

The "fact" that "many" people were aware of this sendmail bug is still
totally unsubstantiated. Now's your chance.

---rick



This archive was generated by hypermail 2.0b3 on Thu Mar 09 2000 - 14:44:29 GMT