Bugtraq mailing list archives
Re: local mail delivery
From: neil () legless demon co uk (Neil Woods)
Date: Thu, 3 Aug 1995 20:38:37 +0100
I was called for help on a breakin attempt that appeared to be using the local mail delivery agent race on SunOS. In response, I wrote the following. It appears to me to be fairly tight, but I'd appreciate any flaws anyone can pick with it. (It does have some problems, notably lack of checking for malloc() failure and disk full errors. I'm talking about specifically security holes.) In return, I offer this to anyone who may care to use it. (Of course, it comes with no warranty; it's free, and you get what you pay for.) Unpack into a directory somewhere and compile with "cc -I. -o localmail *.c" or something equivalent. (You will need to use a prototype-capable compiler. NeXTstep 2.1 /bin/cc works, as does gcc 2.6.3 under SunOS 4.1.3, provided you link with something that provides strerror().) der Mouse mouse () collatz mcrcim mcgill edu
I had a quick look at your code (although you're tab key appears to be broken, and your space bar is intermitent ;-), main() doesnt look too clever:- { FILE *f; int i; i = open("/tmp/localmail.log",O_WRONLY|O_APPEND); if (i >= 0) { f = fdopen(i,"a"); fprintf(f,"[%d] uid=%d euid=%d ac=%d\n",getpid(),getuid(),geteuid(),ac); for (i=0;av[i];i++) { fprintf(f,"\t%s\n",av[i]); } fclose(f); } I presume you either intend to make localmail suid root, or have sendmail set[ug]id for you, which makes the above potentially dodgy. Also your mkstemp() replacement is pure overkill. Recommended code for binmail, with every known problem fixed, can be found in:- CERT advisory CA-95:02.binmail.vulnerabilities and I would personally recommend it. Cheers, Neil -- Let the Mystery Be, So Watcha Want, Longing In Their Hearts, Hate My Way, M-Bike, Safari, Uncle June and Aunt Kiyoti, Daisy Dead Petals, Tuff Gnarl. ...like a badger with an afro throwing sparklers at the Pope...
Current thread:
- local mail delivery der Mouse (Aug 03)
- Re: local mail delivery Neil Woods (Aug 03)
- Goings on with Web clients System Administrator (Aug 04)
- Re: Goings on with Web clients Zygo Blaxell (Aug 09)
- BUG (and exploit): RiscOS 5.01 rshd has FD leaks... Jeremy Fitzhardinge (Aug 11)