Does one of the other use procmail by default? On Mon, 4 Jun 2001, Roland Dworschak wrote: > Hi, > > I'm running Slackware 7.1 with the same mail version like you: Mail version > 8.1 6/6/93, but it didn't core dumped here: > > del@unity:~$ wget http://owned.lab6.com/~gossi/crashmail.txt > del@unity:~$ cp crashmail.txt /var/spool/mail/del > del@unity:~$ mail > Mail version 8.1 6/6/93. Type ? for help. > "/var/spool/mail/del": 1 message 1 new > >N 1 sup-infoat_private Sat Jun 2 04:52 161/5376 "Security Update: > [CSS" > > /usr/bin/Mail is not suid here. > > > regards, > > roland dworschak > > > -----Original Message----- > From: Gossi The Dog [mailto:gossiat_private] > Sent: Sunday, June 03, 2001 7:41 PM > To: vuln-devat_private > Subject: Mail bug > > > Hi, > > I've discovered slightly odd behavour from /usr/bin/Mail on my Redhat 6.2 > box. I don't really have the time to fiddle with this, so I'm hoping you > guys can provide feedback as to if this is reproducable on other systems. > > Lets start with version numbers; > > [gossi@owned gossi]$ strings /bin/mail | grep version > version > Mail version %s. Type ? for help. > $OpenBSD: version.c,v 1.4 1996/06/08 19:48:46 christos Exp $ > > [gossi@owned gossi]$ mail > Mail version 8.1 6/6/93. Type ? for help. > > Now, the bug appears to be this; > > If Mail encounters hex character x00 (aka ^@ as vi shows it), it seg > faults and dumps it core. On Slackware and (I believe) Debian, Mail is > suid root. On Redhat it isn't. Other distros might have the suid bit > set. > > There are two ways to easily reproduce this; > > echo -e \\x00 >/var/spool/mail/gossi > mail > > (substituing gossi for your userid, obviously). If it works, it should > die. > > Or; > > wget http://owned.lab6.com/~gossi/crashmail.txt > cp crashmail.txt /var/spool/mail/gossi > mail > > I'd recommend using wget, as IE appears to drop the x00 character. You > can check you have the mail file in question by looking with vi - the last > line should read ^@. > > Example of it reproduced on owned.lab6.com (Redhat 6.2); > > ------- > [gossi@owned gossi]$ wget http://owned.lab6.com/~gossi/crashmail.txt > --18:37:41-- http://owned.lab6.com:80/%7Egossi/crashmail.txt > => `crashmail.txt' > Connecting to owned.lab6.com:80... connected! > HTTP request sent, awaiting response... 200 OK > Length: 5,378 [text/plain] > > 0K -> ..... [100%] > > 18:37:41 (5.13 MB/s) - `crashmail.txt' saved [5378/5378] > > [gossi@owned gossi]$ cp crashmail.txt /var/spool/mail/gossi > [gossi@owned gossi]$ mail > Segmentation fault (core dumped) > > --------- > > So, roughly, the questions I can see are; > > a) can you reproduce it > b) what OS/distro > c) is Mail suid root? > d) why is it doing this, and is it exploitable? > > > Regards, > Gossi The Dog. > > roland dworschak > linux administration > --------------------- > security information- > resource @ defense.at > --------------------- > hans sachs gasse 11 > a - 5020 salzburg > Tel: +43 662 430473 > Fax: +43 662 430470 > Mob: +43 699 11032868 > --------------------- > http://www.defense.at > mailto:delat_private > >
This archive was generated by hypermail 2b30 : Mon Jun 04 2001 - 23:02:28 PDT