Re: Mail bug

[Alex <alex () bhni net>]

Does one of the other use procmail by default?

On Mon, 4 Jun 2001, Roland Dworschak wrote:

> Hi,
>
> I'm running Slackware 7.1 with the same mail version like you: Mail version
> 8.1 6/6/93, but it didn't core dumped here:
>
> del@unity:~$ wget http://owned.lab6.com/~gossi/crashmail.txt
> del@unity:~$ cp crashmail.txt /var/spool/mail/del
> del@unity:~$ mail
> Mail version 8.1 6/6/93.  Type ? for help.
> "/var/spool/mail/del": 1 message 1 new
> > N  1 sup-info@opus.calder  Sat Jun  2 04:52 161/5376  "Security Update:
> [CSS"
>
> /usr/bin/Mail is not suid here.
>
>
> regards,
>
>      roland dworschak
>
>
> -----Original Message-----
> From: Gossi The Dog [mailto:gossi () owned lab6 com]
> Sent: Sunday, June 03, 2001 7:41 PM
> To: vuln-dev () securityfocus com
> Subject: Mail bug
>
>
> Hi,
>
> I've discovered slightly odd behavour from /usr/bin/Mail on my Redhat 6.2
> box.  I don't really have the time to fiddle with this, so I'm hoping you
> guys can provide feedback as to if this is reproducable on other systems.
>
> Lets start with version numbers;
>
> [gossi@owned gossi]$ strings /bin/mail | grep version
> version
> Mail version %s.  Type ? for help.
> $OpenBSD: version.c,v 1.4 1996/06/08 19:48:46 christos Exp $
>
> [gossi@owned gossi]$ mail
> Mail version 8.1 6/6/93.  Type ? for help.
>
> Now, the bug appears to be this;
>
> If Mail encounters hex character x00 (aka ^@ as vi shows it), it seg
> faults and dumps it core.  On Slackware and (I believe) Debian, Mail is
> suid root.  On Redhat it isn't.  Other distros might have the suid bit
> set.
>
> There are two ways to easily reproduce this;
>
> echo -e \\x00 >/var/spool/mail/gossi
> mail
>
> (substituing gossi for your userid, obviously).  If it works, it should
> die.
>
> Or;
>
> wget http://owned.lab6.com/~gossi/crashmail.txt
> cp crashmail.txt /var/spool/mail/gossi
> mail
>
> I'd recommend using wget, as IE appears to drop the x00 character.  You
> can check you have the mail file in question by looking with vi - the last
> line should read ^@.
>
> Example of it reproduced on owned.lab6.com (Redhat 6.2);
>
> -------
> [gossi@owned gossi]$ wget http://owned.lab6.com/~gossi/crashmail.txt
> --18:37:41--  http://owned.lab6.com:80/%7Egossi/crashmail.txt
>            => `crashmail.txt'
> Connecting to owned.lab6.com:80... connected!
> HTTP request sent, awaiting response... 200 OK
> Length: 5,378 [text/plain]
>
>     0K -> .....                                                  [100%]
>
> 18:37:41 (5.13 MB/s) - `crashmail.txt' saved [5378/5378]
>
> [gossi@owned gossi]$ cp crashmail.txt /var/spool/mail/gossi
> [gossi@owned gossi]$ mail
> Segmentation fault (core dumped)
>
> ---------
>
> So, roughly, the questions I can see are;
>
> a) can you reproduce it
> b) what OS/distro
> c) is Mail suid root?
> d) why is it doing this, and is it exploitable?
>
>
> Regards,
> Gossi The Dog.
>
>      roland dworschak
>  linux administration
> ---------------------
> security information-
> resource @ defense.at
> ---------------------
> hans sachs gasse   11
> a - 5020     salzburg
> Tel:   +43 662 430473
> Fax:   +43 662 430470
> Mob: +43 699 11032868
> ---------------------
> http://www.defense.at
> mailto:del () defense at