-----BEGIN PRIVACY-ENHANCED MESSAGE----- Proc-Type: 4,MIC-CLEAR Content-Domain: RFC822 Originator-Certificate: MIICozCCAgwCAQ8wDQYJKoZIhvcNAQECBQAwgYYxC zAJBgNVBAYTAlVTMSswKQYDVQQKEyJEZWZlbnNlIEluZm9ybWF0aW9uIFN5c3Rlb XMgQWdlbmN5MTAwLgYDVQQLEydDZW50ZXIgZm9yIEluZm9ybWF0aW9uIFN5c3Rlb XMgU2VjdXJpdHkxGDAWBgNVBAsTD0NvdW50ZXJtZWFzdXJlczAeFw05MzA5MDExN DU3NDFaFw05MzEyMTAxNDU3NDFaMIGxMQswCQYDVQQGEwJVUzErMCkGA1UEChMiR GVmZW5zZSBJbmZvcm1hdGlvbiBTeXN0ZW1zIEFnZW5jeTEwMC4GA1UECxMnQ2Vud GVyIGZvciBJbmZvcm1hdGlvbiBTeXN0ZW1zIFNlY3VyaXR5MRgwFgYDVQQLEw9Db 3VudGVybWVhc3VyZXMxEzARBgNVBAsTCk9wZXJhdGlvbnMxFDASBgNVBAMTC1Bld GUgSGFtbWVzMIGaMAoGBFUIAQECAgQAA4GLADCBhwKBgQDCgMkKVE04zogQU+Y/u 9XDNBempvY7gQDGwnFQp8Htv1pdn/GpVQmMshXVARhspGNsBy2+oOJoxgIIZeDtF /MhUeyZDAoVIvi+2uagxto5eb+T/jteVqplHen6BiwPnchvKuGCyPuT0+Q7bBsJG prQwqTSJoZvozE7CNk1XV0J7wIBAzANBgkqhkiG9w0BAQIFAAOBgQCZ0AezFPQMJ NssuHMKiuq63lu9vWs5jvJ1a201z+oeUX7FkFwIRSy/RDKaLILn+v501BeoWacae GA3LS/13Y6zdP91J3RDDkj4fy9dlDOf0C1h9g6T3QVX1xZvAdJ/V6Ck9DYGvAWvf sOT8lzEQ8OfaGFgge4olbhYpCTMgId5cA== Issuer-Certificate: MIICNTCCAZ4CARswDQYJKoZIhvcNAQECBQAwRDELMAkGA 1UEBhMCVVMxCzAJBgNVBAgTAk1EMSgwJgYDVQQKEx9UcnVzdGVkIEluZm9ybWF0a W9uIFN5c3RlbXMgUENBMB4XDTkzMTExMDIxMjIxNloXDTk0MDIxODIxMjIxNlowg YYxCzAJBgNVBAYTAlVTMSswKQYDVQQKEyJEZWZlbnNlIEluZm9ybWF0aW9uIFN5c 3RlbXMgQWdlbmN5MTAwLgYDVQQLEydDZW50ZXIgZm9yIEluZm9ybWF0aW9uIFN5c 3RlbXMgU2VjdXJpdHkxGDAWBgNVBAsTD0NvdW50ZXJtZWFzdXJlczCBmjAKBgRVC AEBAgIEAAOBiwAwgYcCgYEA19l6BN7iTGYEU61qJETIjBh3iAeHzoL8sZ5KwFRZD S/a1KnYlD1zJHR/KeQCOBWW2HzX43TFLCNGU7UD9i6m8AymLe5IJf/bGh0Rne7Jd Q1GAOLw7/J4hE57IMbGETZpzeU1D9IYxiERRNio/oa422lUlS9JZHLA5jaPNcUrX P8CAQMwDQYJKoZIhvcNAQECBQADgYEAtk4EYPgH0//H896t95E+4m8zWRxwyAULr a5wWThZ1TNjwdDQ3HbYC2IhXUA2N2Vzic5SWBFI6BRmEjWQrrgUNi4a26zZc6jiS 3OebUYo75t1kkzyRaEf0o3DPnkvo0FQziUJaFpu6Z1/+ZoGu4UURwr/jaA+g1oZC 6kDyRnygWc= Issuer-Certificate: MIIB8jCCAVsCAQEwDQYJKoZIhvcNAQECBQAwRDELMAkGA 1UEBhMCVVMxCzAJBgNVBAgTAk1EMSgwJgYDVQQKEx9UcnVzdGVkIEluZm9ybWF0a W9uIFN5c3RlbXMgUENBMB4XDTkzMDUyODE3MTEyN1oXDTk1MDUyODE3MTEyN1owR DELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1EMSgwJgYDVQQKEx9UcnVzdGVkIEluZ m9ybWF0aW9uIFN5c3RlbXMgUENBMIGaMAoGBFUIAQECAgQAA4GLADCBhwKBgQDbL xaRlS3u54yyRgVDI5dcE9nlasL8fJqOGlyo7xH2FZnr3kUfsFj7OGiYsr6UbvqwK nyfMIRUrXDUa64leGmft3SK27psDUHOynRSCc40d/HrDf810U5tnTamBKUIMqivK 4GoL0tMRA1eX6hALAvLLgK1HbnwZAo6GqQGW8CIJQIBAzANBgkqhkiG9w0BAQIFA AOBgQDBp5aC6oV6IuFi8JCctq57bew604HHNllgjjp7zdXafq6jctRg2g91k/yFW h19bJC/tNrb0WVwuZOs5L/FToPMNIIHzaW/YSROBmyhTDYaKHZGj0P1+iNjMbHt9 dm1QEHGIfKgBwFidItnOa74DfkXdijlPRnr/+E2Ib6PM+hEfQ== MIC-Info: RSA-MD5,RSA,Wb04Eu+1WvUZ51AL3MIkbJ09PgkqmYFe+gkPq06UkYs D4/6AEt3larw3f//eERaYUbLeFb8KXUowxQ79yikpmiw6UWPmkhJvt23L4EizTQL +CBJVCou5rcjTp4tki/eUM9vxhCMyRLgv7j84p6e+1MdvFax/yaaaCUntT3dppCc = <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Automated Systems Security Incident Support Team _____ ___ ___ _____ ___ _____ | / /\ / \ / \ | / \ | | / Integritas / \ \___ \___ | \___ | | < et /____\ \ \ | \ | | \ Celeritas / \ \___/ \___/ __|__ \___/ | |_____ <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Bulletin 93-31 Release date: 24 Nov 1993, 12:15 PM EST Subject: URGENT! sendmail vulnerability targeted on Milnet systems. BACKGROUND: ASSIST has received reports that Milnet systems have been the target of unauthorized users' attempts to exploit a UNIX based sendmail vulnerability recently detailed in ASSIST 93-29. The attempts to gain access to these systems are based on programs and information about this vulnerability that has been publicly posted to the Internet. and additional attempts to exploit the sendmail weakness are likely. IMPACT: Anyone (remote or local) can gain unauthorized access to any account on the system except root. RECOMMENDATIONS: IF YOU HAVE NOT YET IMPLEMENTED ONE OF THE WORKAROUNDS OUTLINED IN ASSIST 93-29 TO ELIMINATE THIS PROBLEM, ASSIST STRONGLY RECOMMENDS THAT YOU DO SO IMMEDIATELY! The large amount of publicly available information about the sendmail weakness, and ever expanding network connectivity will probably result in additional activity of this type ocurring in the near future. Reference ASSIST 93-29 attached at the end of this bulletin for specifics on methods for eliminating this vulnerability. ASSIST is an element of the Defense Information Systems Agency (DISA), Center for Information Systems Security (CISS), that provides service to the entire DoD community. If you have any questions about ASSIST or computer security issues, contact ASSIST using one of the methods listed below. If you would like to be included in the distribution list for these bulletins, send your Milnet (Internet) e-mail address to assist-request@assist.ims.disa.mil. Back issues of ASSIST bulletins are available on the ASSIST bbs (see below), and through anonymous ftp from assist.ims.disa.mil. ASSIST contact information: PHONE: 703-756-7974, DSN 289, duty hours are 06:30 to 17:00 Monday through Friday. During off duty hours, weekends, and holidays, ASSIST can be reached via pager at 800-SKY-PAGE (800-759-7243) PIN 2133937. Your page will be answered within 30 minutes, however if a quicker response is required, prefix your phone number with "999" ELECTRONIC MAIL: assist@assist.ims.disa.mil. ASSIST BBS: 703-756-7993/4, DSN 289, leave a message for the "sysop". Privacy Enhanced Mail (PEM): ASSIST uses PEM, a public key encryption tool, to digitally sign all bulletins that are distributed through e-mail. The section of seemingly random characters between the "BEGIN PRIVACY-ENHANCED MESSAGE" and "BEGIN ASSIST BULLETIN" contains machine-readable digital signature information generated by PEM, not corrupted data. PEM software for UNIX systems is available from Trusted Information Systems (TIS) at no cost, and can be obtained via anonymous FTP from ftp.tis.com (IP 192.94.214.100). Note: The TIS software is just one of several implementations of PEM currently available and additional versions are likely to be offered from other sources in the near future. ATTACHMENT: ASSIST Bulletin 93-29 <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Automated Systems Security Incident Support Team _____ ___ ___ _____ ___ _____ | / /\ / \ / \ | / \ | | / Integritas / \ \___ \___ | \___ | | < et /____\ \ \ | \ | | \ Celeritas / \ \___/ \___/ __|__ \___/ | |_____ <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Bulletin 93-29 Initial Release date: 08 Nov 1993, 0600 EST Subject: URGENT: sendmail vulnerability exploitation BACKGROUND: ASSIST has received information on a vulnerability that exists in UNIX derived versions of the sendmail SMTP mailer. The vulnerability POTENTIALLY AFFECTS ALL SYSTEMS RUNNING SENDMAIL, and allows any local or remote user to gain unauthorized privileged access to an affected system. Additionally, a program to exploit this vulnerability and subsequently install a back-door on an affected system has been publicly posted to the Internet. A patched version of SunOS sendmail was announced in ASSIST Bulletin 93-28; this ASSIST bulletin supersedes the sendmail portion of that advisory, so sites that installed the previous patch should still follow the recommendations in this ASSIST Bulletin. This ASSIST Bulletin provides three alternative workaround solutions to the problem, and recommends that sites implement either workaround until vendor-specific patches become available. NOTE that the workarounds each have side effects (see below), but will prevent the intrusion program mentioned above from affecting systems running sendmail until a better, more robust solution can be developed. At that time, ASSIST will distribute a bulletin advising DoD sites of the better solution. During the interim, ASSIST STRONGLY RECOMMENDS THAT SITES IMPLEMENT ONE OF THE WORKAROUNDS IMMEDIATELY! Note that this vulnerability affects the final destination sendmail host and can be exploited through an intermediate mail machine. Therefore, all sendmail recipient machines within a domain are potentially vulnerable. By default, most sendmail configuration files (e.g., /etc/sendmail.cf, /usr/lib/sendmail.cf) allow a mail message to be piped to a program. Many sites use this functionality to automatically run programs upon receipt of mail (e.g., vacation programs, automated mailing list managers such as listserv). The program posted to the network exploits a vulnerability in this facility to install and run an unauthorized program on the target host. Exploitation of this vulnerability usually generates console error messages with a "|" character embedded in the error message. ASSIST recommends that any DoD site experiencing suspicious mailer errors contact the ASSIST hotline immediately, at the phone number provided below. This vulnerability has been shown to exist on at least one system that has been evaluated according to the Trusted Computer System Evaluation Criteria (TCSEC, "Orange Book", DoD 5200.28-STD), and might affect others. IMPACT: Anyone (remote or local) can gain unauthorized access to any account on the system except root. RECOMMENDATIONS: ASSIST recommends that ALL SITES running sendmail implement one of the three alternative approaches described below immediately, and then install vendor-specific patches as they become available. Alternative 1: This workaround involves modifying the sendmail configuration to restrict the sendmail program mailer facility. Familiarity with sendmail, its installation and configuration, are recommended before implementing these modifications. Basic installation instructions are provided below. Any DoD site experiencing difficulty in installing or configuring the program can contact ASSIST at the numbers provided below for assistance. To restrict sendmail's program mailer facility, obtain and install the sendmail restricted shell program created by Eric Allman. For your convenience, this program is appended to the end of this ASSIST Bulletin; if you use the attached version, extract the program from the bulletin and save it as filename "smrsh.c". The smrsh program requires the system administrator to place all allowable executable programs in a single directory (by default, /usr/adm/sm.bin, but the actual directory can be tailored in the C program). 1. Where to obtain the program Copies of the smrsh program and documentation may be obtained from the ASSIST Bulletin Board System (BBS), or via anonymous FTP from info.cert.org (IP number 192.88.209.5), in the /pub/tools/smrsh directory, or via anonymous FTP from ftp.uu.net in the /pub/security/smrsh directory. Additionally, for your convenience, a copy of the smrsh program is attached to this digitally signed bulletin. (If you do not use PEM to authenticate this ASSIST Bulletin (details below), then ASSIST recommends that you obtain the smrsh program from either the FTP sites or from the ASSIST BBS system (details below)). Checksum information: BSD Sum 30114 5 README 25757 2 smrsh.8 46786 5 smrsh.c System V Sum 56478 10 README 42281 4 smrsh.8 65517 9 smrsh.c MD5 Checksum MD5 (README) = fc4cf266288511099e44b664806a5594 MD5 (smrsh.8) = 35aeefba9714f251a3610c7b1714e355 MD5 (smrsh.c) = d4822ce7c273fc8b93c68e39ec67739c 2. How to install the program An example of how to compile and install the program is provided below. - Compile the smrsh.c program as follows: % cc -o smrsh smrsh.c - As root, copy the smrsh executable file to an appropriate directory (e.g.,such as /usr/local/bin) as follows: # /usr/cp ./smrsh /usr/local/bin/smrsh - Set the ownership and protection of the installed executable as follows: # /usr/bin/chown root /usr/local/bin/smrsh # /usr/bin/chmod 711 /usr/local/bin/smrsh - Configure sendmail to use smrsh as the "program mailer". This requires modifying the sendmail.cf file and re-starting the sendmail process. Modify sendmail.cf as follows (this is a typical example - your site configuration may vary somewhat): Currently reads: Mprog, P=/bin/sh, F=slFDM, S=10, R=20, A=sh -c $u Change TO: Mprog, P=/usr/local/bin/smrsh, F=slFDM, S=10, R=20, A=sh -c $u - Kill and re-start the sendmail process. An example follows: - Kill and re-start the sendmail process. An example follows: # /usr/bin/ps aux | grep sendmail root 550 0.0 0.0 172 0 ? IW Nov 2 0:01 /usr/lib/sendmail -bd -q # /bin/kill -9 550 # /usr/lib/sendmail -bz # /usr/lib/sendmail -bi # /usr/lib/sendmail -bd -q30m - Place copies of each allowable program into the allowable program directory. The default for this is: /usr/adm/sm.bin 3. Potential impacts of this solution While this approach allows a site to specify which programs can be run by sendmail (e.g. vacation(1)), attempts to invoke programs that are not included in the allowed set, or attempts using shell meta-characters (see smrsh program listing for a complete set of disallowed characters), will fail, resulting in log output to the syslog(3) facility. Programs that are specified in a site's /etc/aliases file should be considered for inclusion in the allowable program list. Since .forward files allow user-specified programs to be run by sendmail, a survey of the contents of the system's .forward files may be required to prevent failure to deliver user mail. *** WARNING *************************************************** * It is very important that sites *NOT* include interpreter * * programs (e.g. /bin/sh, /bin/csh, /bin/perl, /bin/uudecode, * * /bin/sed, ...) in the list of allowed programs, as this * * will cause the vulnerability to re-surface. * *************************************************************** Alternative 2: Like alternative 1, this workaround involves modifying the sendmail configuration file. However, this approach completely disables the sendmail program mailer facility. This is a drastic, but quick action that can be taken while a site installs one of the other suggestions. Before implementing this approach, save a copy of the current sendmail configuration file. To implement this approach edit the sendmail.cf file: change from: Mprog, P=/bin/sh, F=slFDM, S=10, R=20, A=sh -c $u to: Mprog, P=/bin/false, F=, S=10, R=20, A= Any changes to the sendmail.cf file will require that the sendmail process be restarted to ensure that the new configuration is used. An example of how to do this can be found in the above "alternative 1" section of this ASSIST Bulletin. 1. Impacts of this approach Attempts to invoke programs through sendmail will not be successful. This includes the vacation program, automated mailing list handlers, etc. Alternative 3: To the best of our knowledge, Eric Allman's public domain implementation of sendmail, sendmail 8.6.4, does not appear to be susceptible to this vulnerability. A working solution would then be to replace a site's sendmail, with sendmail 8.6.4. 1. Where to obtain the program Copies of this version of sendmail may be obtained via anonymous FTP from ftp.cs.berkeley.edu in the /ucb/sendmail directory. Checksum information: BSD Sum sendmail.8.6.4.base.tar.Z: 07718 428 sendmail.8.6.4.cf.tar.Z: 28004 179 sendmail.8.6.4.misc.tar.Z: 57299 102 sendmail.8.6.4.xdoc.tar.Z: 33954 251 System V Sum 64609 856 sendmail.8.6.4.base.tar.Z 42112 357 sendmail.8.6.4.cf.tar.Z 8101 203 sendmail.8.6.4.misc.tar.Z 50037 502 sendmail.8.6.4.xdoc.tar.Z MD5 Checksum MD5 (sendmail.8.6.4.base.tar.Z) = 59727f2f99b0e47a74d804f7ff654621 MD5 (sendmail.8.6.4.cf.tar.Z) = cb7ab7751fb8b45167758e9485878f6f MD5 (sendmail.8.6.4.misc.tar.Z) = 8eaa6fbe9e9226667f719af0c1bde755 MD5 (sendmail.8.6.4.xdoc.tar.Z) = a9da24e504832f21a3069dc2151870e6 2. Impacts of this workaround Depending upon the currently installed sendmail program, switching to a different sendmail may require significant effort for the system administrator to become familiar with the new program. The site's sendmail configuration file may require considerable modification in order to provide existing functionality. In some cases, the site's sendmail configuration file may be incompatible with the sendmail 8.6.4 configuration file. ASSIST would like to thank the CERT Coordination Center for its efforts in resolving technical issues regarding this vulnerability, and for its contributions to this bulletin. ASSIST is an element of the Defense Information Systems Agency (DISA), Center for Information Systems Security (CISS), that provides service to the entire DoD community. If you have any questions about ASSIST or computer security issues, contact ASSIST using one of the methods listed below. If you would like to be included in the distribution list for these bulletins, send your Milnet (Internet) e-mail address to assist-request@assist.ims.disa.mil. Back issues of ASSIST bulletins are available on the ASSIST bbs (see below), and through anonymous FTP from assist.ims.disa.mil. ASSIST contact information: PHONE: 703-756-7974, DSN 289, duty hours are 06:30 to 17:00 Monday through Friday. During off duty hours, weekends, and holidays, ASSIST can be reached via pager at 800-SKY-PAGE (800-759-7243) PIN 2133937. Your page will be answered within 30 minutes, however if a quicker response is required, prefix your phone number with "999" and ASSIST will return your call within 5 minutes. Electronic mail: assist@assist.ims.disa.mil. ASSIST BBS: 703-756-7993/4, DSN 289, leave a message for the "sysop". Privacy Enhanced Mail (PEM): ASSIST uses PEM, a public key encryption tool, to digitally sign all bulletins that are distributed through e-mail. The section of seemingly random characters between the "BEGIN PRIVACY-ENHANCED MESSAGE" and "BEGIN ASSIST BULLETIN" contains machine-readable digital signature information generated by PEM, not corrupted data. PEM software for UNIX systems is available from Trusted Information Systems (TIS) at no cost, and can be obtained via anonymous FTP from ftp.tis.com (IP 192.94.214.100). Note: The TIS software is just one of several implementations of PEM currently available and additional versions are likely to be offered from other sources in the near future. ===== /* ** SMRSH -- sendmail restricted shell ** ** This is a patch to get around the prog mailer bugs in most ** versions of sendmail. ** ** Use this in place of /bin/sh in the "prog" mailer definition ** in your sendmail.cf file. You then create CMDDIR (owned by ** root, mode 755) and put links to any programs you want ** available to prog mailers in that directory. This should ** include things like "vacation" and "procmail", but not "sed" ** or "sh". ** ** Leading pathnames are stripped from program names so that ** existing .forward files that reference things like ** "/usr/ucb/vacation" will continue to work. ** ** The following characters are completely illegal: ** < > | ^ ; & $ ` ( ) \n \r ** This is more restrictive than strictly necessary. ** ** To use this, edit /etc/sendmail.cf, search for ^Mprog, and ** change P=/bin/sh to P=/usr/etc/smrsh, where this compiled ** binary is installed /usr/etc/smrsh. ** ** In loving memory of RTM. 11/02/93. */ #include #include #include #include #include #include /* directory in which all commands must reside */ #ifndef CMDDIR # define CMDDIR "/usr/adm/sm.bin" #endif /* characters disallowed in the shell "-c" argument */ #define SPECIALS "<|>^();&`$\r\n" /* default search path */ #ifndef PATH # define PATH "/bin:/usr/bin:/usr/ucb" #endif char Version[] = "SMRSH 1.2"; main(argc, argv) int argc; char **argv; { register char *p; register char *q; register char *cmd; int i; char *newenv[2]; char cmdbuf[1000]; char pathbuf[1000]; #ifdef ultrix openlog("smrsh", 0); #else openlog("smrsh", LOG_ODELAY|LOG_CONS, LOG_MAIL); #endif strcpy(pathbuf, "PATH="); strcat(pathbuf, PATH); newenv[0] = pathbuf; newenv[1] = NULL; /* ** Do basic argv usage checking */ if (argc != 3 || strcmp(argv[1], "-c") != 0) { fprintf(stderr, "Usage: %s -c command\n", argv[0]); syslog(LOG_ERR, "usage"); exit(EX_USAGE); } /* ** Disallow special shell syntax. This is overly restrictive, ** but it should shut down all attacks. ** Be sure to include 8-bit versions, since many shells strip ** the address to 7 bits before checking. */ strcpy(cmdbuf, SPECIALS); for (p = cmdbuf; *p != '\0'; p++) *p |= '\200'; strcat(cmdbuf, SPECIALS); p = strpbrk(argv[2], cmdbuf); if (p != NULL) { fprintf(stderr, "%s: cannot use %c in command\n", argv[0], *p); syslog(LOG_CRIT, "uid %d: attempt to use %c in command: %s", getuid(), *p, argv[2]); exit(EX_UNAVAILABLE); } /* ** Do a quick sanity check on command line length. */ i = strlen(argv[2]); if (i > (sizeof cmdbuf - sizeof CMDDIR - 2)) { fprintf(stderr, "%s: command too long: %s\n", argv[0], argv[2]); syslog(LOG_WARNING, "command too long: %.40s", argv[2]); exit(EX_UNAVAILABLE); } /* ** Strip off a leading pathname on the command name. For ** example, change /usr/ucb/vacation to vacation. */ /* strip leading spaces */ for (q = argv[2]; *q != '\0' && isascii(*q) && isspace(*q); ) q++; /* find the end of the command name */ p = strpbrk(q, " \t"); if (p == NULL) cmd = &q[strlen(q)]; else { *p = '\0'; cmd = p; } /* search backwards for last / (allow for 0200 bit) */ while (cmd > q) { if ((*--cmd & 0177) == '/') { cmd++; break; } } /* cmd now points at final component of path name */ /* ** Check to see if the command name is legal. */ (void) strcpy(cmdbuf, CMDDIR); (void) strcat(cmdbuf, "/"); (void) strcat(cmdbuf, cmd); #ifdef DEBUG printf("Trying %s\n", cmdbuf); #endif if (access(cmdbuf, X_OK) < 0) { /* oops.... crack attack possiblity */ fprintf(stderr, "%s: %s not available for sendmail programs\n", argv[0], cmd); { if ((*--cmd & 0177) == '/') { cmd++; break; } } /* cmd now points at final component of path name */ /* ** Check to see if the command name is legal. */ (void) strcpy(cmdbuf, CMDDIR); (void) strcat(cmdbuf, "/"); (void) strcat(cmdbuf, cmd); #ifdef DEBUG printf("Trying %s\n", cmdbuf); #endif if (access(cmdbuf, X_OK) < 0) { /* oops.... crack attack possiblity */ fprintf(stderr, "%s: %s not available for sendmail programs\n", argv[0], cmd); if (p != NULL) *p = ' '; syslog(LOG_CRIT, "uid %d: attempt to use %s", getuid(), cmd); exit(EX_UNAVAILABLE); } if (p != NULL) *p = ' '; /* ** Create the actual shell input. */ strcpy(cmdbuf, CMDDIR); strcat(cmdbuf, "/"); strcat(cmdbuf, cmd); /* ** Now invoke the shell */ #ifdef DEBUG printf("%s\n", cmdbuf); #endif execle("/bin/sh", "/bin/sh", "-c", cmdbuf, NULL, newenv); syslog(LOG_CRIT, "Cannot exec /bin/sh: %m"); perror("/bin/sh"); exit(EX_OSFILE); } -----END PRIVACY-ENHANCED MESSAGE-----