[news.sysadmin] THE SENDMAIL BUG LIVES ON

jonathan@cs.keele.ac.uk (Jonathan Knight) (11/16/88)

Hi there.  I installed the binary bug fix from Berkely for a few of
the suns here at Keele.  On looking a little closer I discovered
that all the bug fix did was to place two zero bytes over the
debug command.  A little experimentation with a Ultrix machine
using telnet to a sun revealed that if I used the command
"^@^@BUG" I could still get the debug option set.  All that is
needed to invoke the debug command is a method of typing null's
to sendmail.

I haven't been following all the follow-ups to the worm so does
anyone have a better fix than the one from Berkely for binary
only sites?
-- 
  _____      Jonathan Knight,               || JANET:  jonathan@uk.ac.keele.cs
    /        Department of Computer Science || UUCP:   ...!ukc!kl-cs!jonathan
   / _   __  University of Keele, Keele,    || BITNET: jonathan%cs.kl.ac.uk@
(_/ (_) / /  Staffordshire.  ST5 5BG.  U.K. || ----------------  cunyvm.bitnet

jonathan@cs.keele.ac.uk (Jonathan Knight) (11/16/88)

In article <402@kl-cs.UUCP>, I wrote
>                 A little experimentation with a Ultrix machine
> using telnet to a sun revealed that if I used the command
> "^@^@BUG" I could still get the debug option set.

Actually as the debug command has been replaced with a string starting
with a null, simply hitting return will set the debug option.  No
need for any clever way of getting nulls to sendmail.  Not much of a fix
really, anybody got something better?
-- 
  _____      Jonathan Knight,               || JANET:  jonathan@uk.ac.keele.cs
    /        Department of Computer Science || UUCP:   ...!ukc!kl-cs!jonathan
   / _   __  University of Keele, Keele,    || BITNET: jonathan%cs.kl.ac.uk@
(_/ (_) / /  Staffordshire.  ST5 5BG.  U.K. || ----------------  cunyvm.bitnet

night@pawl2.pawl.rpi.edu (Trip Martin) (11/21/88)

In article <403@kl-cs.UUCP> jonathan@cs.keele.ac.uk (Jonathan Knight) writes:
>In article <402@kl-cs.UUCP>, I wrote
>>                 A little experimentation with a Ultrix machine
>> using telnet to a sun revealed that if I used the command
>> "^@^@BUG" I could still get the debug option set.
>
>Actually as the debug command has been replaced with a string starting
>with a null, simply hitting return will set the debug option.  No
>need for any clever way of getting nulls to sendmail.  Not much of a fix
>really, anybody got something better?

I found this one too.  My first idea was to change the string to uppercase
assuming that sendmail mapped the string to lowercase before doing the
comparison.  Strangely enough that didn't work.

What did work was to put a space in the string.  Since the parser uses
spaces to delimit words, sendmail will never return a space inside the 
command word (I'm not positive on this point, but it seems to be the case).
Anyhow, I changed "debug" to "a bug".   :-)

--
Trip Martin
night@paraguay.acm.rpi.edu
night@pawl.rpi.edu

scs@itivax.UUCP (Steve C. Simmons) (11/23/88)

In article <403@kl-cs.UUCP> jonathan@cs.keele.ac.uk (Jonathan Knight) writes:
|In article <402@kl-cs.UUCP>, I wrote
|>                 A little experimentation with a Ultrix machine
|> using telnet to a sun revealed that if I used the command
|> "^@^@BUG" I could still get the debug option set.
|
|Actually as the debug command has been replaced with a string starting
|with a null, simply hitting return will set the debug option.  No
|need for any clever way of getting nulls to sendmail.  Not much of a fix
|really, anybody got something better?

Yes.  Get BPE from some comp.sources.misc archive (or any binary editor,
for that matter).  Edit the sendmail object. [[you saved an unmodified
copy in case you blew it, right? :-) ]]  Find the DEBUG command.  Change
it to be the same as the previous command in the search sequence.
-- 
Steve Simmons		...!umix!itivax!scs
Industrial Technology Institute, Ann Arbor, MI.
"You can't get here from here."