[7036] in bugtraq
Re: security hole in mailx
daemon@ATHENA.MIT.EDU (Patrick J. Volkerding)
Fri Jun 26 01:42:12 1998
Date: Thu, 25 Jun 1998 23:53:56 -0500
Reply-To: "Patrick J. Volkerding" <volkerdi@MHD1.MOORHEAD.MSUS.EDU>
From: "Patrick J. Volkerding" <volkerdi@MHD1.MOORHEAD.MSUS.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.96.980626061224.30288J-100000@leon.lander.es>
On Fri, 26 Jun 1998, Alvaro Martinez Echevarria wrote:
> On Thu, 25 Jun 1998, gold wrote:
>
> > sh-2.02$ id
> > uid=1001(gold) gid=8(mem) groups=100(users)
> > this is on slackware 3.5
> > slack 3.3 was complete euid root
> > thank-you for notice alvaro
>
> Ooops. I forgot about slackware, I didn't report this to them. So
> it seems that under both Slackware 3.3 and 3.5 this bug is a
> direct root compromise:
>
> -under 3.3 you get a direct euid=0; and
> -under 3.5 you are group 8(mem), something that leads me to think
> that the overflow code was executed as root. Because I don't think
> mailx is setgid "mem" in slackware 3.5.
Actually, the mailx binary in Slackware 3.3/3.4 is not setuid or setgid:
-rwxr-xr-x 1 root bin 59420 Aug 16 1996 Mail
I doubt this could be exploited.
The mailx in Slackware 3.5 (mailx-8.1.1-9) is supplied setgid mail, and
before applying the patch you could probably exploit the overflow to get
group mail (12).
> I'm sending this (and the original report) to Patrick Volkerding.
It would have been nice to get some advance notice, but I caught the post
on BugTraq (after all, BugTraq *is* the breakfast of champions :) and have
a fixed mailx.tgz binary package up for FTP:
ftp://ftp.cdrom.com/pub/linux/slackware/slakware/n3/mailx.tgz
MD5 sum for the package:
6f7047cf74513b34e35610bebf25c82e mailx.tgz
The patch is also on the same site:
ftp://ftp.cdrom.com/pub/linux/slackware/source/n/mailx/mailx-overflow.diff.gz
And, the MD5 sum on this one is:
c2d69e4823c6c5228a3cb183aeb21720 mailx-overflow.diff.gz
Take care,
Patrick J. Volkerding
Slackware Linux maintainer
