UNM synthethic sendmail data

Synthetic data for sendmail were collected at UNM on Sun SPARCstations running unpatched SunOS 4.1.1 and 4.1.4 with the included sendmail. We used strace to collect the data. Experiments on this data are reported in papers for the 1996 IEEE Symposium on Security and Privacy and for the Journal of Computer Security.

Use the original SunOS mapping file for these traces.

normal data

sunsendmailcp intrusion: The sunsendmailcp (sscp) script uses a special command line option to cause sendmail to append an email message to a file. By using this script on a file such as /.rhosts, a local user may obtain root access.

8LGM Advisory: search for "[8lgm]-Advisory-16.UNIX.sendmail-6-Dec-1994".

intrusion trace data

decode intrusion: In older sendmail installations, the alias database contains an entry called "decode," which resolves to uudecode, a Unix program that converts a binary file encoded in plain text into its original form and name. uudecode respects absolute filenames, so if a file "bar.uu" says that the original file is "/home/foo/.rhosts" then when uudecode is given "bar.uu", it will attempt to create foo's .rhosts file. sendmail will generally run uudecode as the semi-privileged user daemon, so email sent to decode cannot overwrite any file on the system; however, if the target file happens to be world-writable, the decode alias entry allows these files to be modified by a remote user.

intrusion trace data

error condition - forwarding loops: A local forwarding loop occurs in sendmail when a set of $HOME/.forward files form a logical circle. We considered the simplest case, with the following setup:

Email address .forward file
foo@host1 bar@host2
bar@host2 foo@host1

trace data

CERT synthethic sendmail data

Synthetic data for sendmail were collected at UNM on Sun SPARCstations running unpatched SunOS 4.1.1 and 4.1.4 with the included sendmail. We used strace to collect the data. Experiments on this data are reported in papers for the 1996 IEEE Symposium on Security and Privacy and for the Journal of Computer Security.

Use the original SunOS mapping file for these traces.

normal data

syslogd intrusion: The syslogd attack uses the syslog interface to overflow a buffer in sendmail. A message is sent to the sendmail on the victim machine, causing it to log a very long, specially created error message. The log entry overflows a buffer in sendmail, replacing part of sendmail's running image with the attacker's machine code. The new code is then executed, causing the standard I/O of a root-owned shell to be attached to a port. The attacker may then attach to this port at his or her leisure. This attack can be run either locally or remotely; we have tested both modes. We also varied the number of commands issued as root after a successful attack.

CERT Advisory

intrusion trace

unsuccessful intrusions - sm5x, sm565a: These are attack scripts for which SunOS 4.1.4 has patches.

trace data
trace data