Bugtraq mailing list archives

Re: Security Problem in MH 6.8.4

From: mparson () SMARTNAP COM (mparson () SMARTNAP COM)
Date: Mon, 19 Jan 1998 14:35:21 -0600


In message <Pine.LNX.3.93.980119164955.9902A-100000 () enete gui uva es>, you writ
e:

Description:
  Due to lack of security checks there is a standard stack smashing probl
em.
Local user can execute code as root.

    Let's see.


<descrip of exploit removed>

   Local exploit exists for that option. Note that MH isn't even configured.
It's as the installation of RedHat 5.0 left it. Note also that MH is intalled
by deffect with RedHat 5.0.

Solution: Uninstall this package or remove the suid-bit until patch becomes
          available.


How about:

Remove suid bit from inc.

Instead, use popclient to retrieve mail and procmail/rcvstore to deliver
the messages into the MH mailboxes.  This still allows users to use inc
to suck in mbox format mailboxes.

The popclient package is also installed by default with RedHat (at least it
was with 4.2, I haven't installed 5.0 yet).

MH also installs another suid-program: msgchk. It's also posible to get a
Segmentation fault whith the same option, but I haven't been able to exploit
it. I have worked on it quite a few. Could someone probe it a little deeper??

  Greetings


--
Michael Parson
News Admin
SMART-NAP

Current thread:

Java reboots win95 Joe Lindstr?m (Jan 17)
- Re: Java reboots win95 David LeBlanc (Jan 17)
- GCC Exploit Phillip R. Jaenke (Jan 17)
- Security Problem in MH 6.8.4 Cesar Tascon Alvarez (Jan 19)
  - Re: Security Problem in MH 6.8.4 mparson () SMARTNAP COM (Jan 19)
    - Re: Security Problem in MH 6.8.4 Philip Guenther (Jan 20)
  - Re: Security Problem in MH 6.8.4 Cy Schubert - ITSD Open Systems Group (Jan 20)
    - Re: Security Problem in MH 6.8.4 Alan Cox (Jan 20)
  - L0pht Security Advisory mattw (Jan 20)