Bugtraq mailing list archives

Re: vulnerability in mail.local

From: Neil W Rickert <rickert () CS NIU EDU>
Date: Wed, 1 Nov 2000 19:17:50 -0600

gregory duchemin <c3rb3r () HOTMAIL COM> wrote:

mail.local is a little setuid root prog designed, like its name suggest, for
local mail delivering.
Used with the -l option, we have an interactive mode in lmtp protocol (
simplified smtp for local mail delivery only )
A weakness exists in the 'mail from' field that allow any local user to
insert a piped shell command that may be executed
by the recipient when he does a reply with the  mail command. A little
social engineering skill should help to root the boxe.
Finally, mail.local shouldn't allow such escape chars even in the mail from
field and the command mail shouldn't allow such
a reply through a pipe.

A space char in the command will finish the string, so either u use a single
command like '|reboot' or use a comma that should
be converted in space by mail.
eg: '|shutdown,now'

Linux 2.4.0 beta Caldera that was freely distributed during the defcon 00 is
vulnerable to this pb.

That looks like the old sendmail bugs


It is quite a stretch to call this a "mail.local" bug.

(1)  A well behaved mail program should reply to the address in the
     "From:" header, rather than that on the unix "From " line that
     separates mailboxes.

(2)  The ability to put such addresses with pipes on the "From:"
     header is derived from the RFCs that define the mail system.

(3)  On a system using sendmail, a recipient address that specifies a
     program would not be accepted by sendmail.  So this "bug" (if it
     is a bug), is due the mailer program used for replies executing
     the program directly.  The ucb 'Mail' program, and its near
     cousin 'mailx' will execute programs directly if given as
     addresses.  I have not tested whether they do so when invoked by
     root.

     If this can cause a problem, the bug is surely in the behavior
     of programs such as 'Mail' or 'mailx' which execute pipes given
     as addresses.

(4)  On a well managed system, there should be an alias for 'root',
     so that mail to root is read by a non-root user.  Triggering
     this "bug" assumes that root will blindly reply to a message
     without examining the address to which the reply is being sent.

     While that could happen, it could also happen that root has '.'
     on the path, and carelessly executes a trojan.

In short, I don't believe there is any significant new bug here.  At
most there is one more method that an incompetent system
administrator might be conned into doing something foolish.
And in any case, 'mail.local' is exonerated.

 -NWR

Current thread:

vulnerability in mail.local gregory duchemin (Nov 03)
- Re: vulnerability in mail.local Nic Bellamy (Nov 03)
- Re: vulnerability in mail.local Neil W Rickert (Nov 03)
  - Re: vulnerability in mail.local Rogier Wolff (Nov 07)
    - Re: vulnerability in mail.local bert hubert (Nov 07)
    - Re: vulnerability in mail.local Robert Bihlmeyer (Nov 08)