mailing list archives
Re: vulnerability in mail.local
From: Nic Bellamy <nic () BELLAMY CO NZ>
Date: Thu, 2 Nov 2000 15:12:26 +1300
On Wed, 1 Nov 2000, gregory duchemin wrote:
mail.local is a little setuid root prog designed, like its name suggest, for
local mail delivering.
The problem is not in mail.local at all, it's in 'mail' (/bin/mail,
/usr/bin/mail or similar). When you attempt to reply to a message from
<|/tmp/some () file>, 'mail' will attempt to send it via that program.
The same problem can be seen in a simple fashion from the command line,
$ mail '|/usr/bin/id'
Subject: test message
$ uid=1000(nic) gid=1000(nic)
So, to summarise, you are not vulnerable unless you:
(a) use /bin/mail to handle your email,
and (b) reply to an email with a from address starting with '|'.
-- Nic Bellamy <nic () bellamy co nz>
IT Consultant, Asterisk Limited - http://www.asterisk.co.nz/
Ph: +64-9-360-0905 Fax: +64-9-360-0906 Mob: +64-21-360-905