CVE-1999-1468

Step 1: Environment Variable Manipulation: The attacker sets the IFS environment variable to a malicious value. This value typically includes characters like space, tab, newline, and potentially other shell metacharacters, allowing for command injection.

Step 2: Triggering rdist: The attacker triggers rdist to execute, often by attempting a file distribution operation or by causing an error condition that prompts rdist to call sendmail.

Step 3: popen() Execution: rdist calls popen() to execute sendmail to report an error. The attacker-controlled IFS is passed to sendmail via the environment.

Step 4: Command Injection: Because of the modified IFS, the shell interprets the attacker-controlled IFS as command separators, allowing the attacker to inject arbitrary commands into the sendmail execution.

Step 5: Privilege Escalation: The injected commands are executed with the privileges of the user running rdist, which is often root, granting the attacker full control of the system.

The vulnerability stems from the insecure use of popen() within rdist to execute sendmail. The rdist utility, designed for remote file distribution, calls sendmail to report errors. The problem lies in how rdist handles the arguments passed to sendmail. It doesn't properly sanitize or escape the environment variables, specifically the IFS variable. An attacker can modify IFS to include characters that will be interpreted as command separators by the shell. When rdist calls sendmail, the attacker-controlled IFS allows the injection of arbitrary commands, which are then executed with the privileges of the user running rdist, typically root. This is a classic example of a command injection vulnerability, exploiting a lack of input validation and improper use of shell commands.