[4214] in bugtraq
minor vulnerability in ELM
daemon@ATHENA.MIT.EDU (Dmitry E. Kim)
Wed Mar 26 14:12:10 1997
Date: Wed, 26 Mar 1997 21:02:48 +0400
Reply-To: "Dmitry E. Kim" <jason@REDLINE.RU>
From: "Dmitry E. Kim" <jason@REDLINE.RU>
To: BUGTRAQ@NETSPACE.ORG
hi ppl,
It's just an echo of old plain NLSPATH story -- I'm not even sure
it should be posted here, but still: in some distributions ELM is
installed setgid 'mail' (for unknown reason) -- for example, in Linux
(Slackware 3.1 and 3.2-beta) and (at least some distributions of) Solaris.
It is very easy to force stack overflow in ELM, using environment variable
NLSPATH (that is NOT the same bug as with linux libc.so.5.3.12 -- ELM in the
mentioned distributions is dynamically linked, but is exploitable when running
with libc.so.5.4.10 at least).
Impact: any user with access to ELM can gain group 'mail' access rights.
Speaking theoretically, it is a Bad Thing, but seems like there's absolutely
no practical harm from it. Though probably there is some in certain OSes?
I didn't look carefully through Solaris, for example.
Exploit: standard stack overflow exploit. It is not quoted here because
it is very trivial and boring :).
Solution: why would ELM actually need setgid priviledges? In FreeBSD ELM
lives well without any set[ug]id.
cheers,
jsn.
