Home page logo

bugtraq logo Bugtraq mailing list archives

Re: security hole in mailx
From: volkerdi () MHD1 MOORHEAD MSUS EDU (Patrick J. Volkerding)
Date: Thu, 25 Jun 1998 23:53:56 -0500

On Fri, 26 Jun 1998, Alvaro Martinez Echevarria wrote:
On Thu, 25 Jun 1998, gold wrote:

sh-2.02$ id
uid=1001(gold) gid=8(mem) groups=100(users)
this is on slackware 3.5
slack 3.3 was complete euid root
thank-you for notice alvaro

Ooops. I forgot about slackware, I didn't report this to them. So
it seems that under both Slackware 3.3 and 3.5 this bug is a
direct root compromise:

-under 3.3 you get a direct euid=0; and
-under 3.5 you are group 8(mem), something that leads me to think
 that the overflow code was executed as root. Because I don't think
 mailx is setgid "mem" in slackware 3.5.

Actually, the mailx binary in Slackware 3.3/3.4 is not setuid or setgid:

-rwxr-xr-x   1 root     bin         59420 Aug 16  1996 Mail

I doubt this could be exploited.

The mailx in Slackware 3.5 (mailx-8.1.1-9) is supplied setgid mail, and
before applying the patch you could probably exploit the overflow to get
group mail (12).

I'm sending this (and the original report) to Patrick Volkerding.

It would have been nice to get some advance notice, but I caught the post
on BugTraq (after all, BugTraq *is* the breakfast of champions :) and have
a fixed mailx.tgz binary package up for FTP:


MD5 sum for the package:
6f7047cf74513b34e35610bebf25c82e  mailx.tgz

The patch is also on the same site:


And, the MD5 sum on this one is:
c2d69e4823c6c5228a3cb183aeb21720  mailx-overflow.diff.gz

Take care,

Patrick J. Volkerding
Slackware Linux maintainer

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]