Bugtraq mailing list archives
Re: security hole in mailx
From: volkerdi () MHD1 MOORHEAD MSUS EDU (Patrick J. Volkerding)
Date: Thu, 25 Jun 1998 23:53:56 -0500
On Fri, 26 Jun 1998, Alvaro Martinez Echevarria wrote:
On Thu, 25 Jun 1998, gold wrote:sh-2.02$ id uid=1001(gold) gid=8(mem) groups=100(users) this is on slackware 3.5 slack 3.3 was complete euid root thank-you for notice alvaroOoops. I forgot about slackware, I didn't report this to them. So it seems that under both Slackware 3.3 and 3.5 this bug is a direct root compromise: -under 3.3 you get a direct euid=0; and -under 3.5 you are group 8(mem), something that leads me to think that the overflow code was executed as root. Because I don't think mailx is setgid "mem" in slackware 3.5.
Actually, the mailx binary in Slackware 3.3/3.4 is not setuid or setgid: -rwxr-xr-x 1 root bin 59420 Aug 16 1996 Mail I doubt this could be exploited. The mailx in Slackware 3.5 (mailx-8.1.1-9) is supplied setgid mail, and before applying the patch you could probably exploit the overflow to get group mail (12).
I'm sending this (and the original report) to Patrick Volkerding.
It would have been nice to get some advance notice, but I caught the post on BugTraq (after all, BugTraq *is* the breakfast of champions :) and have a fixed mailx.tgz binary package up for FTP: ftp://ftp.cdrom.com/pub/linux/slackware/slakware/n3/mailx.tgz MD5 sum for the package: 6f7047cf74513b34e35610bebf25c82e mailx.tgz The patch is also on the same site: ftp://ftp.cdrom.com/pub/linux/slackware/source/n/mailx/mailx-overflow.diff.gz And, the MD5 sum on this one is: c2d69e4823c6c5228a3cb183aeb21720 mailx-overflow.diff.gz Take care, Patrick J. Volkerding Slackware Linux maintainer
Current thread:
- Re: security hole in mailx Chris Adams (Jun 25)
- <Possible follow-ups>
- Re: security hole in mailx Patrick J. Volkerding (Jun 25)