[17469] in bugtraq
Re: vulnerability in mail.local
daemon@ATHENA.MIT.EDU (Neil W Rickert)
Thu Nov 2 13:40:21 2000
Message-Id: <24916.973127870@euclid.cs.niu.edu>
Date: Wed, 1 Nov 2000 19:17:50 -0600
Reply-To: Neil W Rickert <rickert@CS.NIU.EDU>
From: Neil W Rickert <rickert@CS.NIU.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Message from gregory duchemin <c3rb3r@HOTMAIL.COM> of "Wed, 01
Nov 2000 18:57:10 GMT." <F63BZTW5k1Ed28kIN4M00005711@hotmail.com>
gregory duchemin <c3rb3r@HOTMAIL.COM> wrote:
>mail.local is a little setuid root prog designed, like its name suggest, for
>local mail delivering.
>Used with the -l option, we have an interactive mode in lmtp protocol (
>simplified smtp for local mail delivery only )
>A weakness exists in the 'mail from' field that allow any local user to
>insert a piped shell command that may be executed
>by the recipient when he does a reply with the mail command. A little
>social engineering skill should help to root the boxe.
>Finally, mail.local shouldn't allow such escape chars even in the mail from
>field and the command mail shouldn't allow such
>a reply through a pipe.
>A space char in the command will finish the string, so either u use a single
>command like '|reboot' or use a comma that should
>be converted in space by mail.
>eg: '|shutdown,now'
>Linux 2.4.0 beta Caldera that was freely distributed during the defcon 00 is
>vulnerable to this pb.
>That looks like the old sendmail bugs
It is quite a stretch to call this a "mail.local" bug.
(1) A well behaved mail program should reply to the address in the
"From:" header, rather than that on the unix "From " line that
separates mailboxes.
(2) The ability to put such addresses with pipes on the "From:"
header is derived from the RFCs that define the mail system.
(3) On a system using sendmail, a recipient address that specifies a
program would not be accepted by sendmail. So this "bug" (if it
is a bug), is due the mailer program used for replies executing
the program directly. The ucb 'Mail' program, and its near
cousin 'mailx' will execute programs directly if given as
addresses. I have not tested whether they do so when invoked by
root.
If this can cause a problem, the bug is surely in the behavior
of programs such as 'Mail' or 'mailx' which execute pipes given
as addresses.
(4) On a well managed system, there should be an alias for 'root',
so that mail to root is read by a non-root user. Triggering
this "bug" assumes that root will blindly reply to a message
without examining the address to which the reply is being sent.
While that could happen, it could also happen that root has '.'
on the path, and carelessly executes a trojan.
In short, I don't believe there is any significant new bug here. At
most there is one more method that an incompetent system
administrator might be conned into doing something foolish.
And in any case, 'mail.local' is exonerated.
-NWR
