Bugtraq mailing list archives
minor vulnerability in ELM
From: jason () REDLINE RU (Dmitry E. Kim)
Date: Wed, 26 Mar 1997 21:02:48 +0400
hi ppl, It's just an echo of old plain NLSPATH story -- I'm not even sure it should be posted here, but still: in some distributions ELM is installed setgid 'mail' (for unknown reason) -- for example, in Linux (Slackware 3.1 and 3.2-beta) and (at least some distributions of) Solaris. It is very easy to force stack overflow in ELM, using environment variable NLSPATH (that is NOT the same bug as with linux libc.so.5.3.12 -- ELM in the mentioned distributions is dynamically linked, but is exploitable when running with libc.so.5.4.10 at least). Impact: any user with access to ELM can gain group 'mail' access rights. Speaking theoretically, it is a Bad Thing, but seems like there's absolutely no practical harm from it. Though probably there is some in certain OSes? I didn't look carefully through Solaris, for example. Exploit: standard stack overflow exploit. It is not quoted here because it is very trivial and boring :). Solution: why would ELM actually need setgid priviledges? In FreeBSD ELM lives well without any set[ug]id. cheers, jsn.
Current thread:
- Re: New Sendmail bug, (continued)
- Re: New Sendmail bug Claude Scarpelli (Mar 25)
- Latest IE FIX from MS is a HOAX Aaron Spangler (Mar 25)
- Re: Latest IE FIX from MS is a HOAX Michael H. Warfield (Mar 25)
- ANNOUNCE : NTCrack v1.0 Jonathan Wilkins (Mar 27)
- There are more loopholes in LPD Patrick Powell (Mar 28)
- symlink bug in tin/rtin NetRunner (Mar 29)
- Re: symlink bug in tin/rtin Nelson Murilo (Mar 29)
- ANNOUNCE : NTCrack v2.0 Jonathan Wilkins (Mar 29)
- more sendmail poop *Hobbit* (Mar 25)
- Reported Sendmail 8.8.4 Exploit gshapiro () SENDMAIL ORG (Mar 25)
- minor vulnerability in ELM Dmitry E. Kim (Mar 26)
- FreeBSD-SA-97:02: Buffer overflow in lpd Aleph One (Mar 26)
- Cisco 2509/2511 Albert Siersema (Mar 24)
- Re: Cisco 2509/2511 Dan Brown (Mar 24)
- Re: Cisco 2509/2511 Erdinc KAYA (Mar 24)
- Re: your mail Illuminati Primus (Mar 24)
- ObNag: running sendmail as root Tom Guptill (Mar 24)