IRIX rmail system() and LOGNAME hole

Summary
Description:rmail is setgid mail and apparently does a system() involving the contents of untrusted user environmental variable LOGNAME. Duh.
Author:Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
Compromise:Group mail, the uses of this are obvious
Vulnerable Systems:IRIX, 5.3, 6.2, possibly 6.3
Date:7 May 1997
Notes:Too bad Yuri Volobuev is retiring. There wouldn't be a IRIX section without him. Good job Yuri!
Details

te: Wed, 7 May 1997 05:48:00 -0500
From: Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
To: BUGTRAQ@NETSPACE.ORG
Subject: Irix: misc

[...]

7. Rmail

This one is ridiculous.  /usr/bin/rmail is sgid mail.  Man page clearly 
says
rmail is only required by UUCP, still, it's installed everywhere.  It's 
also
been known to have bugs for years, which SGI has addressed by a series of
patches.  Quite unfortunately, all of them fail to fix the problem
completely, including the most recent one, 1639 (for 6.2, it has brothers
for other releases).  It's a small and simple program, it just passes
slightly modified message from stdin to sendmail, as usually via virtue of
system().  Why it takes several shots to fix it, I just don't understand.
To exploit, set LOGNAME env to something like blah;mycommand.  
Fortunately,
it syslogs all invocations of itself, so at least you'll know when someone
is doing something bad.  Remove sgid bit from it.




More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]