Description:
Due to lack of security checks there is a standard stack smashing problem.
Local user can execute code as root.
Let's see.
[tascon@archivald]$ id
uid=500(tascon) gid=500(tascon) groups=500(tascon),100(users)
[tascon@archivald]$ cat /etc/redhat-release
release 5.0 (Hurricane)
[tascon@archivald]$ ls -l /usr/bin/mh/inc
-rwsr-sr-x 1 root mail 82972 Oct 15 18:06 /usr/bin/mh/inc
[tascon@archivald]$ /usr/bin/mh/inc
inc: no mail to incorporate
[tascon@archivald]$ /usr/bin/mh/inc -host XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX[...]
XXXXX <---- (2000 X's here)
Segmentation fault
^^^^^^^^^^^^^^^^^^ Dangerous isn't it?
Local exploit exists for that option. Note that MH isn't even configured.
It's as the installation of RedHat 5.0 left it. Note also that MH is intalled
by deffect with RedHat 5.0.
Solution: Uninstall this package or remove the suid-bit until patch becomes
available.
MH also installs another suid-program: msgchk. It's also posible to get a
Segmentation fault whith the same option, but I haven't been able to exploit
it. I have worked on it quite a few. Could someone probe it a little deeper??
Greetings
----o-------------------------------o-------------------------------------o----
Space reserved to describe / Cesar Tascon Alvarez
my job when I got one. / University of Valladolid (SPAIN)
Yes, I'm just a student ;) / tasconat_private
----o-----------------------o---------------------------------------------o----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:39:56 PDT