[17457] in bugtraq
Re: vulnerability in mail.local
daemon@ATHENA.MIT.EDU (gregory duchemin)
Thu Nov 2 11:37:26 2000
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <F158V4qUlyunxtkVO4a0000386f@hotmail.com>
Date: Thu, 2 Nov 2000 04:13:13 GMT
Reply-To: gregory duchemin <c3rb3r@HOTMAIL.COM>
From: gregory duchemin <c3rb3r@HOTMAIL.COM>
X-To: nic@bellamy.co.nz
To: BUGTRAQ@SECURITYFOCUS.COM
I agree but nevertheless mail.local should parse and filter its "mail from:"
field just like it already does it with "rcpt to:", i don't see any reason
to allow such strings in lmtp fields.
and naturally the weakness in mail and others should be fixed too. At least
a warning would be welcomed ( pipe alias are disable by default in
sendmail's aliases file for many years and because of the same kind of
security issues, see the infamous decode vulnerability)
Most of the time, unix admins are too busy to check every mail they get,
specially at schools.
Finally, i believe that many admins actually still use the little mail
command
and this is the problem because local root compromise is real.
Cheers
Gregory Duchemin
Security Consultant
Neurocom CANADA
1001 bd Maisonneuve Ouest, suite 200
Montreal (quebec) H3A 3C8 Canada
c3rb3r@hotmail.com
>From: Nic Bellamy <nic@bellamy.co.nz>
>To: Gregory Duchemin <c3rb3r@HOTMAIL.COM>
>CC: <BUGTRAQ@SECURITYFOCUS.COM>
>Subject: Re: vulnerability in mail.local
>Date: Thu, 2 Nov 2000 15:12:26 +1300 (NZDT)
>MIME-Version: 1.0
>Received: from [210.55.12.113] by hotmail.com (3.2) with ESMTP id
>MHotMailBBCA1893000ED82197EFD2370C710E560; Wed Nov 01 18:12:36 2000
>Received: from wibble.net (sky@wibble.net [210.55.12.113])by wibble.net
>(8.9.3/8.9.3/Debian 8.9.3-21) with ESMTP id PAA26005;Thu, 2 Nov 2000
>15:12:27 +1300
>From nic@bellamy.co.nz Wed Nov 01 18:13:37 2000
>X-Sender: <sky@wibble.net>
>In-Reply-To: <F63BZTW5k1Ed28kIN4M00005711@hotmail.com>
>Message-ID: <Pine.LNX.4.30.0011021448530.25485-100000@wibble.net>
>
>On Wed, 1 Nov 2000, gregory duchemin wrote:
>
> > mail.local is a little setuid root prog designed, like its name suggest,
>for
> > local mail delivering.
>
>[snip]
>
>The problem is not in mail.local at all, it's in 'mail' (/bin/mail,
>/usr/bin/mail or similar). When you attempt to reply to a message from
><|/tmp/some@file>, 'mail' will attempt to send it via that program.
>
>The same problem can be seen in a simple fashion from the command line,
>eg.
>
>$ mail '|/usr/bin/id'
>Subject: test message
>testing
>.
>Cc:
>$ uid=1000(nic) gid=1000(nic)
>
>So, to summarise, you are not vulnerable unless you:
>
> (a) use /bin/mail to handle your email,
> and (b) reply to an email with a from address starting with '|'.
>
>Regards,
> Nic.
>
>-- Nic Bellamy <nic@bellamy.co.nz>
> IT Consultant, Asterisk Limited - http://www.asterisk.co.nz/
> Ph: +64-9-360-0905 Fax: +64-9-360-0906 Mob: +64-21-360-905
>
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
Share information about yourself, create your own public profile at
http://profiles.msn.com.
