Re: Security Problem in MH 6.8.4

From: Prince Ctrl (princectrlat_private)
Date: Mon Jan 19 1998 - 13:46:10 PST

Next message: Aggelos P. Varvitsiotis: "Re: Solaris ftpd D.O.S."

Previous message: Cy Schubert - ITSD Open Systems Group: "Re: Security Problem in MH 6.8.4"
Maybe in reply to: Cesar Tascon Alvarez: "Security Problem in MH 6.8.4"
Next in thread: Alan Cox: "Re: Security Problem in MH 6.8.4"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The output with ln -l is the same on a default RedHat 4.2
install.....after trying the same thing with it, nothing happened....I
got an error of "No servers available"....Trying with 2400 X's yielded
the same results.

I suspect that this is only a bug in RedHat 5.0




PrinceC
princectrlat_private





---Cesar Tascon Alvarez <tasconat_private> wrote:
>
>   Description:
>       Due to lack of security checks there is a standard stack
smashing problem.
> Local user can execute code as root.
>
>     Let's see.
>
> [tascon@archivald]$ id
> uid=500(tascon) gid=500(tascon) groups=500(tascon),100(users)
> [tascon@archivald]$ cat /etc/redhat-release
> release 5.0 (Hurricane)
> [tascon@archivald]$ ls -l /usr/bin/mh/inc
> -rwsr-sr-x   1 root     mail        82972 Oct 15 18:06 /usr/bin/mh/inc
> [tascon@archivald]$ /usr/bin/mh/inc
> inc: no mail to incorporate
> [tascon@archivald]$ /usr/bin/mh/inc -host
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX[...]
> XXXXX      <---- (2000 X's here)
> Segmentation fault
>
> ^^^^^^^^^^^^^^^^^^   Dangerous isn't it?
>
>    Local exploit exists for that option. Note that MH isn't even
configured.
> It's as the installation of RedHat 5.0 left it. Note also that MH is
intalled
> by deffect with RedHat 5.0.
>
> Solution: Uninstall this package or remove the suid-bit until patch
becomes
>           available.
>
> MH also installs another suid-program: msgchk. It's also posible to
get a
> Segmentation fault whith the same option, but I haven't been able to
exploit
> it. I have worked on it quite a few. Could someone probe it a little
deeper??
>
>   Greetings
>
>
>
----o-------------------------------o-------------------------------------o----
>   Space reserved to describe      /          Cesar Tascon Alvarez
>     my job when I got one.      /       University of Valladolid
(SPAIN)
>  Yes, I'm just a student ;)   /               tasconat_private
>
----o-----------------------o---------------------------------------------o----
>

_________________________________________________________
DO YOU YAHOO!?
Get your free @yahoo.com address at http://mail.yahoo.com

Next message: Aggelos P. Varvitsiotis: "Re: Solaris ftpd D.O.S."
Previous message: Cy Schubert - ITSD Open Systems Group: "Re: Security Problem in MH 6.8.4"
Maybe in reply to: Cesar Tascon Alvarez: "Security Problem in MH 6.8.4"
Next in thread: Alan Cox: "Re: Security Problem in MH 6.8.4"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:40:03 PDT