[17466] in bugtraq
Re: vulnerability in mail.local
daemon@ATHENA.MIT.EDU (Nic Bellamy)
Thu Nov 2 13:25:13 2000
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.30.0011021448530.25485-100000@wibble.net>
Date: Thu, 2 Nov 2000 15:12:26 +1300
Reply-To: Nic Bellamy <nic@BELLAMY.CO.NZ>
From: Nic Bellamy <nic@BELLAMY.CO.NZ>
X-To: Gregory Duchemin <c3rb3r@HOTMAIL.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <F63BZTW5k1Ed28kIN4M00005711@hotmail.com>
On Wed, 1 Nov 2000, gregory duchemin wrote:
> mail.local is a little setuid root prog designed, like its name suggest, for
> local mail delivering.
[snip]
The problem is not in mail.local at all, it's in 'mail' (/bin/mail,
/usr/bin/mail or similar). When you attempt to reply to a message from
<|/tmp/some@file>, 'mail' will attempt to send it via that program.
The same problem can be seen in a simple fashion from the command line,
eg.
$ mail '|/usr/bin/id'
Subject: test message
testing
.
Cc:
$ uid=1000(nic) gid=1000(nic)
So, to summarise, you are not vulnerable unless you:
(a) use /bin/mail to handle your email,
and (b) reply to an email with a from address starting with '|'.
Regards,
Nic.
-- Nic Bellamy <nic@bellamy.co.nz>
IT Consultant, Asterisk Limited - http://www.asterisk.co.nz/
Ph: +64-9-360-0905 Fax: +64-9-360-0906 Mob: +64-21-360-905
