Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Serious Linux 2.0.34 security problem
From: segv () SETEC ORG (Segv)
Date: Mon, 29 Jun 1998 12:22:32 -0400


There seems to be some more problems with mailx. While browsing over the
source, I found the code that handles the '!' command.
(this appears in names.c)

  if ((shell = value("SHELL")) == NOSTR)
        shell = SHELL;
   execl(shell, shell, "-c", fname, 0);

As you can see the value() function returns a pointer to the value of (the
envoriment variable) SHELL. If SHELL isn't set it defaults to /bin/bash
(consult local.h). Then execl() is called to execute the value that shell
points too. So you can execute commands with sgid mail privs. One problem
you may run into is shell's that drop privs if rgid != egid, so you could
simply write a wrapper that calls setrgid(mail) then executes the specified
command with sgid mail privs.

Affected: system's that have mailx sgid mail.
Thanks: aleph1 for his ideas.

-----

segv
<segv () setec org>



  By Date           By Thread  

Current thread:
  • Re: Serious Linux 2.0.34 security problem Segv (Jun 29)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]