Hi, I've discovered slightly odd behavour from /usr/bin/Mail on my Redhat 6.2 box. I don't really have the time to fiddle with this, so I'm hoping you guys can provide feedback as to if this is reproducable on other systems. Lets start with version numbers; [gossi@owned gossi]$ strings /bin/mail | grep version version Mail version %s. Type ? for help. $OpenBSD: version.c,v 1.4 1996/06/08 19:48:46 christos Exp $ [gossi@owned gossi]$ mail Mail version 8.1 6/6/93. Type ? for help. Now, the bug appears to be this; If Mail encounters hex character x00 (aka ^@ as vi shows it), it seg faults and dumps it core. On Slackware and (I believe) Debian, Mail is suid root. On Redhat it isn't. Other distros might have the suid bit set. There are two ways to easily reproduce this; echo -e \\x00 >/var/spool/mail/gossi mail (substituing gossi for your userid, obviously). If it works, it should die. Or; wget http://owned.lab6.com/~gossi/crashmail.txt cp crashmail.txt /var/spool/mail/gossi mail I'd recommend using wget, as IE appears to drop the x00 character. You can check you have the mail file in question by looking with vi - the last line should read ^@. Example of it reproduced on owned.lab6.com (Redhat 6.2); ------- [gossi@owned gossi]$ wget http://owned.lab6.com/~gossi/crashmail.txt --18:37:41-- http://owned.lab6.com:80/%7Egossi/crashmail.txt => `crashmail.txt' Connecting to owned.lab6.com:80... connected! HTTP request sent, awaiting response... 200 OK Length: 5,378 [text/plain] 0K -> ..... [100%] 18:37:41 (5.13 MB/s) - `crashmail.txt' saved [5378/5378] [gossi@owned gossi]$ cp crashmail.txt /var/spool/mail/gossi [gossi@owned gossi]$ mail Segmentation fault (core dumped) --------- So, roughly, the questions I can see are; a) can you reproduce it b) what OS/distro c) is Mail suid root? d) why is it doing this, and is it exploitable? Regards, Gossi The Dog.
This archive was generated by hypermail 2b30 : Sun Jun 03 2001 - 16:35:09 PDT