Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: vulnerability in mail.local
From: Nic Bellamy <nic () BELLAMY CO NZ>
Date: Thu, 2 Nov 2000 15:12:26 +1300

On Wed, 1 Nov 2000, gregory duchemin wrote:

mail.local is a little setuid root prog designed, like its name suggest, for
local mail delivering.

[snip]

The problem is not in mail.local at all, it's in 'mail' (/bin/mail,
/usr/bin/mail or similar). When you attempt to reply to a message from
<|/tmp/some () file>, 'mail' will attempt to send it via that program.

The same problem can be seen in a simple fashion from the command line,
eg.

$ mail '|/usr/bin/id'
Subject: test message
testing
.
Cc:
$ uid=1000(nic) gid=1000(nic)

So, to summarise, you are not vulnerable unless you:

      (a) use /bin/mail to handle your email,
  and (b) reply to an email with a from address starting with '|'.

Regards,
        Nic.

-- Nic Bellamy <nic () bellamy co nz>
   IT Consultant, Asterisk Limited - http://www.asterisk.co.nz/
   Ph: +64-9-360-0905 Fax: +64-9-360-0906 Mob: +64-21-360-905


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault