Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Security Problem in MH 6.8.4

From: princectrl () ROCKETMAIL COM (Prince Ctrl)
Date: Mon, 19 Jan 1998 13:46:10 -0800

The output with ln -l is the same on a default RedHat 4.2
install.....after trying the same thing with it, nothing happened....I
got an error of "No servers available"....Trying with 2400 X's yielded
the same results.

I suspect that this is only a bug in RedHat 5.0




PrinceC
princectrl () rocketmail com





---Cesar Tascon Alvarez <tascon () ENETE GUI UVA ES> wrote:


  Description:
      Due to lack of security checks there is a standard stack

smashing problem.

Local user can execute code as root.

    Let's see.

[tascon@archivald]$ id
uid=500(tascon) gid=500(tascon) groups=500(tascon),100(users)
[tascon@archivald]$ cat /etc/redhat-release
release 5.0 (Hurricane)
[tascon@archivald]$ ls -l /usr/bin/mh/inc
-rwsr-sr-x   1 root     mail        82972 Oct 15 18:06 /usr/bin/mh/inc
[tascon@archivald]$ /usr/bin/mh/inc
inc: no mail to incorporate
[tascon@archivald]$ /usr/bin/mh/inc -host

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX[...]

XXXXX      <---- (2000 X's here)
Segmentation fault

^^^^^^^^^^^^^^^^^^   Dangerous isn't it?

   Local exploit exists for that option. Note that MH isn't even

configured.

It's as the installation of RedHat 5.0 left it. Note also that MH is

intalled

by deffect with RedHat 5.0.

Solution: Uninstall this package or remove the suid-bit until patch

becomes

          available.

MH also installs another suid-program: msgchk. It's also posible to

get a

Segmentation fault whith the same option, but I haven't been able to

exploit

it. I have worked on it quite a few. Could someone probe it a little

deeper??


  Greetings




----o-------------------------------o-------------------------------------o----

  Space reserved to describe      /          Cesar Tascon Alvarez
    my job when I got one.      /       University of Valladolid

(SPAIN)

 Yes, I'm just a student ;)   /               tascon () gui uva es


----o-----------------------o---------------------------------------------o----




_________________________________________________________
DO YOU YAHOO!?
Get your free @yahoo.com address at http://mail.yahoo.com
Previous By Date Next
Previous By Thread Next

Current thread: