From owner-freebsd-security  Thu Nov  2  7:11: 0 2000
Delivered-To: freebsd-security@freebsd.org
Received: from adm.sci-nnov.ru (adm.sci-nnov.ru [195.122.226.2])
	by hub.freebsd.org (Postfix) with ESMTP id 589FF37B4D7
	for <freebsd-security@FreeBSD.ORG>; Thu,  2 Nov 2000 07:10:54 -0800 (PST)
Received: from anonymous.sandy.ru (anonymous.sandy.ru [195.122.226.40]) by adm.sci-nnov.ru (8.9.3/Dmiter-4.1-AGK-0.3) with ESMTP id SAA22432; Thu, 2 Nov 2000 18:09:12 +0300 (MSK)
Date: Thu, 2 Nov 2000 18:09:12 +0300
From: Vladimir Dubrovin <vlad@sandy.ru>
X-Mailer: The Bat! (v1.47 Halloween Edition)
Reply-To: Vladimir Dubrovin <vlad@sandy.ru>
Organization: Sandy Info
X-Priority: 3 (Normal)
Message-ID: <14381494372.20001102180912@sandy.ru>
To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re[2]: vulnerability in mail.local (fwd)
In-reply-To: <200011021428.eA2ESvl34243@cwsys.cwsent.com>
References: <200011021428.eA2ESvl34243@cwsys.cwsent.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Hello Cy Schubert - ITSD Open Systems Group,

02.11.00 17:28, you wrote: vulnerability in mail.local (fwd);

>> mail.local(8) is no longer installed as a set-user-id binary.

C> I would think that there is still a non-privileged user exploit.

Under  FreeBSD  mail.local  always  invoked  from  sendmail.  Sendmail
doesn't allow addresses like this:

Nov  2 17:54:07 adm sendmail[19467]: RAA19467: from=|/sbin/reboot@sandy.ru, size
=70, class=0, pri=30070, nrcpts=1, msgid=<200011021453.RAA19467@xxx.xxx.ru>
, proto=SMTP, relay=xxx.xxx.ru [192.168.1.40]
Nov  2 17:54:07 adm sendmail[19540]: RAA19467: to=vlad@sandy.ru, delay=00:00:40,
 xdelay=00:00:00, mailer=fastsmtp, relay=xxx.xxx.ru [192.168.1.5], stat=
Data format error                                                               
Nov  2 17:54:07 adm sendmail[19540]: RAA19467: RAA19540: DSN: Data format error 

all MUAs like "mail" use sendmail instead of mail.local even in case of local user.


-- 
   Vladimir Dubrovin                  Sandy, ISP
    Sandy CCd chief               Customers Care dept
  http://www.sandy.ru           Nizhny Novgorod, Russia
 
http://www.security.nnov.ru




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message