Bugtraq mailing list archives

Re: local mail delivery

From: neil () legless demon co uk (Neil Woods)
Date: Thu, 3 Aug 1995 20:38:37 +0100


I was called for help on a breakin attempt that appeared to be using
the local mail delivery agent race on SunOS.  In response, I wrote the
following.  It appears to me to be fairly tight, but I'd appreciate any
flaws anyone can pick with it.  (It does have some problems, notably
lack of checking for malloc() failure and disk full errors.  I'm
talking about specifically security holes.)

In return, I offer this to anyone who may care to use it.  (Of course,
it comes with no warranty; it's free, and you get what you pay for.)
Unpack into a directory somewhere and compile with
"cc -I. -o localmail *.c" or something equivalent.  (You will need to
use a prototype-capable compiler.  NeXTstep 2.1 /bin/cc works, as does
gcc 2.6.3 under SunOS 4.1.3, provided you link with something that
provides strerror().)

                                        der Mouse

                            mouse () collatz mcrcim mcgill edu


I had a quick look at your code (although you're tab key appears to
be broken, and your space bar is intermitent ;-), main() doesnt look
too clever:-

  { FILE *f;
    int i;
    i = open("/tmp/localmail.log",O_WRONLY|O_APPEND);
    if (i >= 0)
     { f = fdopen(i,"a");
       fprintf(f,"[%d] uid=%d euid=%d ac=%d\n",getpid(),getuid(),geteuid(),ac);
       for (i=0;av[i];i++)
       { fprintf(f,"\t%s\n",av[i]);
       }
       fclose(f);
     }

I presume you either intend to make localmail suid root, or have sendmail
set[ug]id for you, which makes the above potentially dodgy.

Also your mkstemp() replacement is pure overkill.

Recommended code for binmail, with every known problem fixed, can be
found in:-

        CERT advisory CA-95:02.binmail.vulnerabilities

and I would personally recommend it.

Cheers,

Neil
--
Let the Mystery Be, So Watcha Want, Longing In Their Hearts, Hate My Way,
M-Bike, Safari, Uncle June and Aunt Kiyoti, Daisy Dead Petals, Tuff Gnarl.

     ...like a badger with an afro throwing sparklers at the Pope...

Current thread:

local mail delivery der Mouse (Aug 03)
- Re: local mail delivery Neil Woods (Aug 03)
- Goings on with Web clients System Administrator (Aug 04)
  - Re: Goings on with Web clients Zygo Blaxell (Aug 09)
  - BUG (and exploit): RiscOS 5.01 rshd has FD leaks... Jeremy Fitzhardinge (Aug 11)