Bugtraq mailing list archives

one smail bug

From: dan () dan com (dan)
Date: Fri, 7 Oct 1994 08:38:11 -0500

Saw this one elsewhere and don't think it was crossposted to here or security
groups yet:

From: martin2 () sueton ida ing tu-bs de (Martin Bartosch)
Subject: Security hole in smail - be careful!
Followup-To: comp.os.linux.misc
Summary: Security hole in smail.
Keywords: security hole, smail, debugging
Reply-To: martin () koma escape de
Organization: TU Braunschweig, Informatik (Bueltenweg), Germany
Date: Thu, 6 Oct 1994 14:57:37 GMT

Hi,

last night I discovered a potential danger to all sites that run smail.
A quick check on some other sites (thanks to the folks on #linux)
revealed that most systems are affected by this.

Essentially, the smail bug will allow ordinary users to create files
anywhere they want to:

Assume /usr/lib/sendmail is a softlink to /usr/bin/smail.

$ /usr/lib/sendmail -d -D/etc/i_am_broken noone@universe
$ ls -l /etc/i_am*

Be aware of this. Some sites even come up with permissions rw-rw-rw-!
This behaviour is not affected by -smtp-debug.

                                Just my $0.02.

                                        Martin.

--

Dan

Current thread:

Segmentation Faults Michael Bresnahan (Oct 05)
- Re: Segmentation Faults Brett Lymn (Oct 06)
- thanks! Michael Bresnahan (Oct 06)
- SMAIL Aleph One (Oct 06)
  - Re: SMAIL joshua geller (Oct 06)
  - Re: SMAIL James Seng (Oct 07)
  - one smail bug dan (Oct 07)
- syslog idea *Hobbit* (Oct 06)
  - Re: syslog idea David Kovar (Oct 06)
  - Re: syslog idea Jonathan M. Bresler (Oct 07)
    - Re: syslog idea Fred Blonder (Oct 07)
    - Re: syslog idea Jonathan M. Bresler (Oct 07)
    - Re: syslog idea Fred Blonder (Oct 07)
    - Re: syslog idea Jonathan M. Bresler (Oct 08)