Bugtraq mailing list archives
Security Problem in MH 6.8.4
From: tascon () enete gui uva es (Cesar Tascon Alvarez)
Date: Mon, 19 Jan 1998 16:50:49 +0100
Description: Due to lack of security checks there is a standard stack smashing problem. Local user can execute code as root. Let's see. [tascon@archivald]$ id uid=500(tascon) gid=500(tascon) groups=500(tascon),100(users) [tascon@archivald]$ cat /etc/redhat-release release 5.0 (Hurricane) [tascon@archivald]$ ls -l /usr/bin/mh/inc -rwsr-sr-x 1 root mail 82972 Oct 15 18:06 /usr/bin/mh/inc [tascon@archivald]$ /usr/bin/mh/inc inc: no mail to incorporate [tascon@archivald]$ /usr/bin/mh/inc -host XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX[...] XXXXX <---- (2000 X's here) Segmentation fault ^^^^^^^^^^^^^^^^^^ Dangerous isn't it? Local exploit exists for that option. Note that MH isn't even configured. It's as the installation of RedHat 5.0 left it. Note also that MH is intalled by deffect with RedHat 5.0. Solution: Uninstall this package or remove the suid-bit until patch becomes available. MH also installs another suid-program: msgchk. It's also posible to get a Segmentation fault whith the same option, but I haven't been able to exploit it. I have worked on it quite a few. Could someone probe it a little deeper?? Greetings ----o-------------------------------o-------------------------------------o---- Space reserved to describe / Cesar Tascon Alvarez my job when I got one. / University of Valladolid (SPAIN) Yes, I'm just a student ;) / tascon () gui uva es ----o-----------------------o---------------------------------------------o----
Current thread:
- Java reboots win95 Joe Lindstr?m (Jan 17)
- Re: Java reboots win95 David LeBlanc (Jan 17)
- GCC Exploit Phillip R. Jaenke (Jan 17)
- Security Problem in MH 6.8.4 Cesar Tascon Alvarez (Jan 19)
- Re: Security Problem in MH 6.8.4 mparson () SMARTNAP COM (Jan 19)
- Re: Security Problem in MH 6.8.4 Philip Guenther (Jan 20)
- Re: Security Problem in MH 6.8.4 Cy Schubert - ITSD Open Systems Group (Jan 20)
- Re: Security Problem in MH 6.8.4 Alan Cox (Jan 20)
- L0pht Security Advisory mattw (Jan 20)
- Re: Security Problem in MH 6.8.4 mparson () SMARTNAP COM (Jan 19)