Elm , which is often setgid mail, has a buffer overflow with the NLSPATH variable. This is NOT the same as the libc NLSPATH bug.
"Dmitry E. Kim" <jason@REDLINE.RU>
GID mail (local)
Linux with vulnerable setGID mail ELM
26 March 1997
Joining group mail *CAN* be very helpful to hackers, some linux boxes allow you to write to mail spool and read other people's mail if you achieve this. Also, if anyone has a working exploit please mail it this way, I don't feel like writing & testing right now.
Date: Wed, 26 Mar 1997 21:02:48 +0400
From: "Dmitry E. Kim"
Subject: minor vulnerability in ELM
It's just an echo of old plain NLSPATH story -- I'm not even sure
it should be posted here, but still: in some distributions ELM is
installed setgid 'mail' (for unknown reason) -- for example, in Linux
(Slackware 3.1 and 3.2-beta) and (at least some distributions of) Solaris.
It is very easy to force stack overflow in ELM, using environment variable
NLSPATH (that is NOT the same bug as with linux libc.so.5.3.12 -- ELM in the
mentioned distributions is dynamically linked, but is exploitable when
with libc.so.5.4.10 at least).
Impact: any user with access to ELM can gain group 'mail' access rights.
Speaking theoretically, it is a Bad Thing, but seems like there's absolutely
no practical harm from it. Though probably there is some in certain OSes?
I didn't look carefully through Solaris, for example.
Exploit: standard stack overflow exploit. It is not quoted here because
it is very trivial and boring :).
Solution: why would ELM actually need setgid priviledges? In FreeBSD ELM
lives well without any set[ug]id.
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces: