Certain versions of the vacation(1) program which ship with multiple commercial and free UNIX's is vulnerable to a remote and local attack. The vacation program itself is a utility which is used in conjunction with a users .forward file to process incoming mail to be automatically replied to with a pre-written message. Typically a message informing the sender that the receiver is away on vacation. This is installed by placing a .forward file into your directory containing a line as follows: \user, "|/usr/bin/vacation user" The problem lies in that when vacation responds to an incoming message, it invokes the sendmail command, specifying the address of the sender on the command line. By specifying a sendmail command line option rather than a valid email address, it is possible to cause sendmail to be invoked with an alternate configuration file. This alternate configuration file can be previously sent to the system via a separate email message, or via anonymous FTP. When parsed,...
Certain versions of the vacation(1) program which ship with multiple commercial and free UNIX's is vulnerable to a remote and local attack. The vacation program itself is a utility which is used in conjunction with a users .forward file to process incoming mail to be automatically replied to with a pre-written message. Typically a message informing the sender that the receiver is away on vacation. This is installed by placing a .forward file into your directory containing a line as follows: \user, "|/usr/bin/vacation user" The problem lies in that when vacation responds to an incoming message, it invokes the sendmail command, specifying the address of the sender on the command line. By specifying a sendmail command line option rather than a valid email address, it is possible to cause sendmail to be invoked with an alternate configuration file. This alternate configuration file can be previously sent to the system via a separate email message, or via anonymous FTP. When parsed, this new sendmail configuration file can cause sendmail to execute arbitrary commands on the remote system.
