Vulnerability Development mailing list archives
Re: Mail bug
From: "Roland Dworschak" <roland () defense at>
Date: Mon, 4 Jun 2001 20:08:59 +0200
Hi, I'm running Slackware 7.1 with the same mail version like you: Mail version 8.1 6/6/93, but it didn't core dumped here: del@unity:~$ wget http://owned.lab6.com/~gossi/crashmail.txt del@unity:~$ cp crashmail.txt /var/spool/mail/del del@unity:~$ mail Mail version 8.1 6/6/93. Type ? for help. "/var/spool/mail/del": 1 message 1 new
N 1 sup-info@opus.calder Sat Jun 2 04:52 161/5376 "Security Update:
[CSS" /usr/bin/Mail is not suid here. regards, roland dworschak -----Original Message----- From: Gossi The Dog [mailto:gossi () owned lab6 com] Sent: Sunday, June 03, 2001 7:41 PM To: vuln-dev () securityfocus com Subject: Mail bug Hi, I've discovered slightly odd behavour from /usr/bin/Mail on my Redhat 6.2 box. I don't really have the time to fiddle with this, so I'm hoping you guys can provide feedback as to if this is reproducable on other systems. Lets start with version numbers; [gossi@owned gossi]$ strings /bin/mail | grep version version Mail version %s. Type ? for help. $OpenBSD: version.c,v 1.4 1996/06/08 19:48:46 christos Exp $ [gossi@owned gossi]$ mail Mail version 8.1 6/6/93. Type ? for help. Now, the bug appears to be this; If Mail encounters hex character x00 (aka ^@ as vi shows it), it seg faults and dumps it core. On Slackware and (I believe) Debian, Mail is suid root. On Redhat it isn't. Other distros might have the suid bit set. There are two ways to easily reproduce this; echo -e \\x00 >/var/spool/mail/gossi mail (substituing gossi for your userid, obviously). If it works, it should die. Or; wget http://owned.lab6.com/~gossi/crashmail.txt cp crashmail.txt /var/spool/mail/gossi mail I'd recommend using wget, as IE appears to drop the x00 character. You can check you have the mail file in question by looking with vi - the last line should read ^@. Example of it reproduced on owned.lab6.com (Redhat 6.2); ------- [gossi@owned gossi]$ wget http://owned.lab6.com/~gossi/crashmail.txt --18:37:41-- http://owned.lab6.com:80/%7Egossi/crashmail.txt => `crashmail.txt' Connecting to owned.lab6.com:80... connected! HTTP request sent, awaiting response... 200 OK Length: 5,378 [text/plain] 0K -> ..... [100%] 18:37:41 (5.13 MB/s) - `crashmail.txt' saved [5378/5378] [gossi@owned gossi]$ cp crashmail.txt /var/spool/mail/gossi [gossi@owned gossi]$ mail Segmentation fault (core dumped) --------- So, roughly, the questions I can see are; a) can you reproduce it b) what OS/distro c) is Mail suid root? d) why is it doing this, and is it exploitable? Regards, Gossi The Dog. roland dworschak linux administration --------------------- security information- resource @ defense.at --------------------- hans sachs gasse 11 a - 5020 salzburg Tel: +43 662 430473 Fax: +43 662 430470 Mob: +43 699 11032868 --------------------- http://www.defense.at mailto:del () defense at
Current thread:
- Mail bug Gossi The Dog (Jun 03)
- Re: Mail bug Devdas Bhagat (Jun 04)
- Re: Mail bug Gossi The Dog (Jun 04)
- Re: Mail bug fejed (Jun 06)
- Re: Mail bug Meritt James (Jun 06)
- Re: Mail bug Samu (Jun 04)
- Re: Mail bug Thor (Jun 04)
- <Possible follow-ups>
- Re: Mail bug fintler (Jun 04)
- Re: Mail bug Roland Dworschak (Jun 04)
- Re: Mail bug Alex (Jun 04)
- Re: Mail bug Majid Almassari (Jun 05)
- Re: Mail bug Malf Easance (Jun 07)
- Re: Mail bug Devdas Bhagat (Jun 04)