mailing list archives
Re: security hole in mailx
From: volkerdi () MHD1 MOORHEAD MSUS EDU (Patrick J. Volkerding)
Date: Thu, 25 Jun 1998 23:53:56 -0500
On Fri, 26 Jun 1998, Alvaro Martinez Echevarria wrote:
On Thu, 25 Jun 1998, gold wrote:
uid=1001(gold) gid=8(mem) groups=100(users)
this is on slackware 3.5
slack 3.3 was complete euid root
thank-you for notice alvaro
Ooops. I forgot about slackware, I didn't report this to them. So
it seems that under both Slackware 3.3 and 3.5 this bug is a
direct root compromise:
-under 3.3 you get a direct euid=0; and
-under 3.5 you are group 8(mem), something that leads me to think
that the overflow code was executed as root. Because I don't think
mailx is setgid "mem" in slackware 3.5.
Actually, the mailx binary in Slackware 3.3/3.4 is not setuid or setgid:
-rwxr-xr-x 1 root bin 59420 Aug 16 1996 Mail
I doubt this could be exploited.
The mailx in Slackware 3.5 (mailx-8.1.1-9) is supplied setgid mail, and
before applying the patch you could probably exploit the overflow to get
group mail (12).
I'm sending this (and the original report) to Patrick Volkerding.
It would have been nice to get some advance notice, but I caught the post
on BugTraq (after all, BugTraq *is* the breakfast of champions :) and have
a fixed mailx.tgz binary package up for FTP:
MD5 sum for the package:
The patch is also on the same site:
And, the MD5 sum on this one is:
Patrick J. Volkerding
Slackware Linux maintainer