Mail bug

[Gossi The Dog <gossi () owned lab6 com>]

Hi,

I've discovered slightly odd behavour from /usr/bin/Mail on my Redhat 6.2
box.  I don't really have the time to fiddle with this, so I'm hoping you
guys can provide feedback as to if this is reproducable on other systems.

Lets start with version numbers;

[gossi@owned gossi]$ strings /bin/mail | grep version
version
Mail version %s.  Type ? for help.
$OpenBSD: version.c,v 1.4 1996/06/08 19:48:46 christos Exp $

[gossi@owned gossi]$ mail
Mail version 8.1 6/6/93.  Type ? for help.

Now, the bug appears to be this;

If Mail encounters hex character x00 (aka ^@ as vi shows it), it seg
faults and dumps it core.  On Slackware and (I believe) Debian, Mail is
suid root.  On Redhat it isn't.  Other distros might have the suid bit
set.

There are two ways to easily reproduce this;

echo -e \\x00 >/var/spool/mail/gossi
mail

(substituing gossi for your userid, obviously).  If it works, it should
die.

Or;

wget http://owned.lab6.com/~gossi/crashmail.txt
cp crashmail.txt /var/spool/mail/gossi
mail

I'd recommend using wget, as IE appears to drop the x00 character.  You
can check you have the mail file in question by looking with vi - the last
line should read ^@.

Example of it reproduced on owned.lab6.com (Redhat 6.2);

-------
[gossi@owned gossi]$ wget http://owned.lab6.com/~gossi/crashmail.txt
--18:37:41--  http://owned.lab6.com:80/%7Egossi/crashmail.txt
           => `crashmail.txt'
Connecting to owned.lab6.com:80... connected!
HTTP request sent, awaiting response... 200 OK
Length: 5,378 [text/plain]

    0K -> .....                                                  [100%]

18:37:41 (5.13 MB/s) - `crashmail.txt' saved [5378/5378]

[gossi@owned gossi]$ cp crashmail.txt /var/spool/mail/gossi
[gossi@owned gossi]$ mail
Segmentation fault (core dumped)

---------

So, roughly, the questions I can see are;

a) can you reproduce it
b) what OS/distro
c) is Mail suid root?
d) why is it doing this, and is it exploitable?


Regards,
Gossi The Dog.