Bugtraq mailing list archives
Re: Security Problem in MH 6.8.4
From: mparson () SMARTNAP COM (mparson () SMARTNAP COM)
Date: Mon, 19 Jan 1998 14:35:21 -0600
In message <Pine.LNX.3.93.980119164955.9902A-100000 () enete gui uva es>, you writ e:
Description: Due to lack of security checks there is a standard stack smashing probl em. Local user can execute code as root. Let's see.
<descrip of exploit removed>
Local exploit exists for that option. Note that MH isn't even configured. It's as the installation of RedHat 5.0 left it. Note also that MH is intalled by deffect with RedHat 5.0. Solution: Uninstall this package or remove the suid-bit until patch becomes available.
How about: Remove suid bit from inc. Instead, use popclient to retrieve mail and procmail/rcvstore to deliver the messages into the MH mailboxes. This still allows users to use inc to suck in mbox format mailboxes. The popclient package is also installed by default with RedHat (at least it was with 4.2, I haven't installed 5.0 yet).
MH also installs another suid-program: msgchk. It's also posible to get a Segmentation fault whith the same option, but I haven't been able to exploit it. I have worked on it quite a few. Could someone probe it a little deeper?? Greetings
-- Michael Parson News Admin SMART-NAP
Current thread:
- Java reboots win95 Joe Lindstr?m (Jan 17)
- Re: Java reboots win95 David LeBlanc (Jan 17)
- GCC Exploit Phillip R. Jaenke (Jan 17)
- Security Problem in MH 6.8.4 Cesar Tascon Alvarez (Jan 19)
- Re: Security Problem in MH 6.8.4 mparson () SMARTNAP COM (Jan 19)
- Re: Security Problem in MH 6.8.4 Philip Guenther (Jan 20)
- Re: Security Problem in MH 6.8.4 Cy Schubert - ITSD Open Systems Group (Jan 20)
- Re: Security Problem in MH 6.8.4 Alan Cox (Jan 20)
- L0pht Security Advisory mattw (Jan 20)
- Re: Security Problem in MH 6.8.4 mparson () SMARTNAP COM (Jan 19)