From owner-freebsd-security Thu Nov 2 7: 0:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 307D837B4F9 for ; Thu, 2 Nov 2000 07:00:38 -0800 (PST) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.0/8.11.0) id eA2F0YY00607 for security@FreeBSD.org; Thu, 2 Nov 2000 17:00:34 +0200 (EET) (envelope-from ru) Date: Thu, 2 Nov 2000 17:00:34 +0200 From: Ruslan Ermilov To: security@FreeBSD.org Subject: Re: vulnerability in mail.local (fwd) Message-ID: <20001102170034.A210@sunbay.com> Reply-To: security@FreeBSD.org Mail-Followup-To: security@FreeBSD.org References: <20001102092124.A57009@peitho.fxp.org> <200011021428.eA2ESvl34243@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200011021428.eA2ESvl34243@cwsys.cwsent.com>; from Cy.Schubert@uumail.gov.bc.ca on Thu, Nov 02, 2000 at 06:28:28AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Nov 02, 2000 at 06:28:28AM -0800, Cy Schubert wrote: > > > > > Looks like we could be vulnerable too. > > > > mail.local(8) is not longer suid by default. > I would think that there is still a non-privileged user exploit. > Nope, you can't even exploit yourself if it's not setuid-root: # /usr/libexec/mail.local -l 220 foo.bar LMTP ready mail from:<|/tmp@foo.bar> 250 2.5.0 ok rcpt to: 250 2.1.5 ok data 354 go ahead Subject: test test . 451 4.3.0 lockmailbox /var/mail/ru failed; error code 75 ^C -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message