mailing list archives
Re: vulnerability in mail.local
From: Neil W Rickert <rickert () CS NIU EDU>
Date: Wed, 1 Nov 2000 19:17:50 -0600
gregory duchemin <c3rb3r () HOTMAIL COM> wrote:
mail.local is a little setuid root prog designed, like its name suggest, for
local mail delivering.
Used with the -l option, we have an interactive mode in lmtp protocol (
simplified smtp for local mail delivery only )
A weakness exists in the 'mail from' field that allow any local user to
insert a piped shell command that may be executed
by the recipient when he does a reply with the mail command. A little
social engineering skill should help to root the boxe.
Finally, mail.local shouldn't allow such escape chars even in the mail from
field and the command mail shouldn't allow such
a reply through a pipe.
A space char in the command will finish the string, so either u use a single
command like '|reboot' or use a comma that should
be converted in space by mail.
Linux 2.4.0 beta Caldera that was freely distributed during the defcon 00 is
vulnerable to this pb.
That looks like the old sendmail bugs
It is quite a stretch to call this a "mail.local" bug.
(1) A well behaved mail program should reply to the address in the
"From:" header, rather than that on the unix "From " line that
(2) The ability to put such addresses with pipes on the "From:"
header is derived from the RFCs that define the mail system.
(3) On a system using sendmail, a recipient address that specifies a
program would not be accepted by sendmail. So this "bug" (if it
is a bug), is due the mailer program used for replies executing
the program directly. The ucb 'Mail' program, and its near
cousin 'mailx' will execute programs directly if given as
addresses. I have not tested whether they do so when invoked by
If this can cause a problem, the bug is surely in the behavior
of programs such as 'Mail' or 'mailx' which execute pipes given
(4) On a well managed system, there should be an alias for 'root',
so that mail to root is read by a non-root user. Triggering
this "bug" assumes that root will blindly reply to a message
without examining the address to which the reply is being sent.
While that could happen, it could also happen that root has '.'
on the path, and carelessly executes a trojan.
In short, I don't believe there is any significant new bug here. At
most there is one more method that an incompetent system
administrator might be conned into doing something foolish.
And in any case, 'mail.local' is exonerated.