Re: security hole in mailx

[volkerdi () MHD1 MOORHEAD MSUS EDU (Patrick J. Volkerding)]

On Fri, 26 Jun 1998, Alvaro Martinez Echevarria wrote:
> On Thu, 25 Jun 1998, gold wrote:
>
> > sh-2.02$ id
> > uid=1001(gold) gid=8(mem) groups=100(users)
> > this is on slackware 3.5
> > slack 3.3 was complete euid root
> > thank-you for notice alvaro
>
> Ooops. I forgot about slackware, I didn't report this to them. So
> it seems that under both Slackware 3.3 and 3.5 this bug is a
> direct root compromise:
>
> -under 3.3 you get a direct euid=0; and
> -under 3.5 you are group 8(mem), something that leads me to think
>  that the overflow code was executed as root. Because I don't think
>  mailx is setgid "mem" in slackware 3.5.

Actually, the mailx binary in Slackware 3.3/3.4 is not setuid or setgid:

-rwxr-xr-x   1 root     bin         59420 Aug 16  1996 Mail

I doubt this could be exploited.

The mailx in Slackware 3.5 (mailx-8.1.1-9) is supplied setgid mail, and
before applying the patch you could probably exploit the overflow to get
group mail (12).

> I'm sending this (and the original report) to Patrick Volkerding.

It would have been nice to get some advance notice, but I caught the post
on BugTraq (after all, BugTraq *is* the breakfast of champions :) and have
a fixed mailx.tgz binary package up for FTP:

ftp://ftp.cdrom.com/pub/linux/slackware/slakware/n3/mailx.tgz

MD5 sum for the package:
6f7047cf74513b34e35610bebf25c82e  mailx.tgz

The patch is also on the same site:

ftp://ftp.cdrom.com/pub/linux/slackware/source/n/mailx/mailx-overflow.diff.gz

And, the MD5 sum on this one is:
c2d69e4823c6c5228a3cb183aeb21720  mailx-overflow.diff.gz

Take care,

Patrick J. Volkerding
Slackware Linux maintainer