Home page logo

bugtraq logo Bugtraq mailing list archives

Re: vulnerability in mail.local
From: Nic Bellamy <nic () BELLAMY CO NZ>
Date: Thu, 2 Nov 2000 15:12:26 +1300

On Wed, 1 Nov 2000, gregory duchemin wrote:

mail.local is a little setuid root prog designed, like its name suggest, for
local mail delivering.


The problem is not in mail.local at all, it's in 'mail' (/bin/mail,
/usr/bin/mail or similar). When you attempt to reply to a message from
<|/tmp/some () file>, 'mail' will attempt to send it via that program.

The same problem can be seen in a simple fashion from the command line,

$ mail '|/usr/bin/id'
Subject: test message
$ uid=1000(nic) gid=1000(nic)

So, to summarise, you are not vulnerable unless you:

      (a) use /bin/mail to handle your email,
  and (b) reply to an email with a from address starting with '|'.


-- Nic Bellamy <nic () bellamy co nz>
   IT Consultant, Asterisk Limited - http://www.asterisk.co.nz/
   Ph: +64-9-360-0905 Fax: +64-9-360-0906 Mob: +64-21-360-905

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]