rmail is setgid mail and apparently does a system() involving the contents of untrusted user environmental variable LOGNAME. Duh.
Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
Group mail, the uses of this are obvious
IRIX, 5.3, 6.2, possibly 6.3
7 May 1997
Too bad Yuri Volobuev is retiring. There wouldn't be a IRIX section without him. Good job Yuri!
te: Wed, 7 May 1997 05:48:00 -0500
From: Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
Subject: Irix: misc
This one is ridiculous. /usr/bin/rmail is sgid mail. Man page clearly
rmail is only required by UUCP, still, it's installed everywhere. It's
been known to have bugs for years, which SGI has addressed by a series of
patches. Quite unfortunately, all of them fail to fix the problem
completely, including the most recent one, 1639 (for 6.2, it has brothers
for other releases). It's a small and simple program, it just passes
slightly modified message from stdin to sendmail, as usually via virtue of
system(). Why it takes several shots to fix it, I just don't understand.
To exploit, set LOGNAME env to something like blah;mycommand.
it syslogs all invocations of itself, so at least you'll know when someone
is doing something bad. Remove sgid bit from it.
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces: