Re: Crackers and Worms


Chris Torek (chris@mimsy.umd.edu)
11 Nov 88 23:21:12 GMT


>In article <44440@beno.seismo.CSS.GOV> rick@seismo.CSS.GOV (Rick Adams) notes:
>>I have not been able to find ONE person who claims to
>>have known that sendmail compiled with DEBUG on would have allowed
>>anyone with SMTP access to run an arbitrary program on their machine.

In article <4992@polya.Stanford.EDU> shap@polya.Stanford.EDU
(Jonathan S. Shapiro) replies:
>Okay. Here it goes. I knew as early as 1984 or 1985 that this
>misfeature existed, and that it got you a root-shell, which certainly
>means you can run an arbitrary program on a remote machine.

Actually, you get a `daemon' shell---not as bad, but, as Keith put it,
`not my idea of a good time'.

>What's more, I reported this problem to DEC, Sun, and Berkeley at the
>time.

Keith Bostic searched Berkeley's bug log for everything relating to
sendmail. This bug was NOT in the log, which means it was not received
at at 4bsd-bugs@Berkeley.edu.

If you send a bug report to 4bsd-bugs@Berkeley.edu and do not get a
reply from `Bugs Bunny', your mail may have been lost; please re-send the
message. Better to get duplicates than none.

--
In-Real-Life: Chris Torek, Univ	of MD Comp Sci Dept (+1	301 454	7163)
Domain:	chris@mimsy.umd.edu	Path:	uunet!mimsy!chris



This archive was generated by hypermail 2.0b3 on Thu Mar 09 2000 - 14:44:30 GMT