Bugtraq mailing list archives
Re: vulnerability in mail.local
From: Nic Bellamy <nic () BELLAMY CO NZ>
Date: Thu, 2 Nov 2000 15:12:26 +1300
On Wed, 1 Nov 2000, gregory duchemin wrote:
mail.local is a little setuid root prog designed, like its name suggest, for local mail delivering.
[snip]
The problem is not in mail.local at all, it's in 'mail' (/bin/mail,
/usr/bin/mail or similar). When you attempt to reply to a message from
<|/tmp/some@file>, 'mail' will attempt to send it via that program.
The same problem can be seen in a simple fashion from the command line,
eg.
$ mail '|/usr/bin/id'
Subject: test message
testing
.
Cc:
$ uid=1000(nic) gid=1000(nic)
So, to summarise, you are not vulnerable unless you:
(a) use /bin/mail to handle your email,
and (b) reply to an email with a from address starting with '|'.
Regards,
Nic.
-- Nic Bellamy <nic () bellamy co nz>
IT Consultant, Asterisk Limited - http://www.asterisk.co.nz/
Ph: +64-9-360-0905 Fax: +64-9-360-0906 Mob: +64-21-360-905
Current thread:
- vulnerability in mail.local gregory duchemin (Nov 03)
- Re: vulnerability in mail.local Nic Bellamy (Nov 03)
- Re: vulnerability in mail.local Neil W Rickert (Nov 03)
- Re: vulnerability in mail.local Rogier Wolff (Nov 07)
- Re: vulnerability in mail.local bert hubert (Nov 07)
- Re: vulnerability in mail.local Robert Bihlmeyer (Nov 08)
- Re: vulnerability in mail.local Rogier Wolff (Nov 07)