Bugtraq mailing list archives
Re: vulnerability in mail.local
From: Neil W Rickert <rickert () CS NIU EDU>
Date: Wed, 1 Nov 2000 19:17:50 -0600
gregory duchemin <c3rb3r () HOTMAIL COM> wrote:
mail.local is a little setuid root prog designed, like its name suggest, for local mail delivering. Used with the -l option, we have an interactive mode in lmtp protocol ( simplified smtp for local mail delivery only ) A weakness exists in the 'mail from' field that allow any local user to insert a piped shell command that may be executed by the recipient when he does a reply with the mail command. A little social engineering skill should help to root the boxe. Finally, mail.local shouldn't allow such escape chars even in the mail from field and the command mail shouldn't allow such a reply through a pipe.
A space char in the command will finish the string, so either u use a single command like '|reboot' or use a comma that should be converted in space by mail. eg: '|shutdown,now'
Linux 2.4.0 beta Caldera that was freely distributed during the defcon 00 is vulnerable to this pb.
That looks like the old sendmail bugs
It is quite a stretch to call this a "mail.local" bug. (1) A well behaved mail program should reply to the address in the "From:" header, rather than that on the unix "From " line that separates mailboxes. (2) The ability to put such addresses with pipes on the "From:" header is derived from the RFCs that define the mail system. (3) On a system using sendmail, a recipient address that specifies a program would not be accepted by sendmail. So this "bug" (if it is a bug), is due the mailer program used for replies executing the program directly. The ucb 'Mail' program, and its near cousin 'mailx' will execute programs directly if given as addresses. I have not tested whether they do so when invoked by root. If this can cause a problem, the bug is surely in the behavior of programs such as 'Mail' or 'mailx' which execute pipes given as addresses. (4) On a well managed system, there should be an alias for 'root', so that mail to root is read by a non-root user. Triggering this "bug" assumes that root will blindly reply to a message without examining the address to which the reply is being sent. While that could happen, it could also happen that root has '.' on the path, and carelessly executes a trojan. In short, I don't believe there is any significant new bug here. At most there is one more method that an incompetent system administrator might be conned into doing something foolish. And in any case, 'mail.local' is exonerated. -NWR
Current thread:
- vulnerability in mail.local gregory duchemin (Nov 03)
- Re: vulnerability in mail.local Nic Bellamy (Nov 03)
- Re: vulnerability in mail.local Neil W Rickert (Nov 03)
- Re: vulnerability in mail.local Rogier Wolff (Nov 07)
- Re: vulnerability in mail.local bert hubert (Nov 07)
- Re: vulnerability in mail.local Robert Bihlmeyer (Nov 08)
- Re: vulnerability in mail.local Rogier Wolff (Nov 07)