I have attached two simple scripts which exploit vulnerabilities which exist
in the some versions of the Sendfile daemon, both allow a local attacker
to gain superuser privileges.
The bug exploited by sfdfwd.sh was supposed to have been fixed by the patches
provided in Debian Security Advisory DSA-050-1 and then DSA-052-1 and was
reported by Colin Phipps in November 2000, somehow it has still not been
fixed. The second bug has been reported (without any success) to Debian,
it is the result of a serialization error combined with a lack of error
checking.
Anyone using this package should download the most recent copy of the source
code directly from the author's site and manually compile it, or apply the
patch used in Debian-unstable (sendfile_2.1-25). Up-to-date copies of the
source can be obtained from ftp://ftp.belwue.de/pub/unix/sendfile/current
Free, encrypted, secure Web-based email at www.hushmail.com
sfdfwd.sh
sfdnfy.sh