Mail Handler 6.8.4 overflow

Summary
Description:standard overflow
Author:Cesar Tascon Alvarez <tascon@enete.gui.uva.es>
Compromise: root (local)
Vulnerable Systems:Those running Mail Hanldler 6.8.4 (and presumably earlier versions). Redhat 5.0 is affected.
Date:19 January 1998
Details


Date: Mon, 19 Jan 1998 16:50:49 +0100
From: Cesar Tascon Alvarez <tascon@enete.gui.uva.es>
To: BUGTRAQ@NETSPACE.ORG
Subject: Security Problem in MH 6.8.4

  Description:
      Due to lack of security checks there is a standard stack smashing problem.
Local user can execute code as root.

    Let's see.

[tascon@archivald]$ id
uid=500(tascon) gid=500(tascon) groups=500(tascon),100(users)
[tascon@archivald]$ cat /etc/redhat-release
release 5.0 (Hurricane)
[tascon@archivald]$ ls -l /usr/bin/mh/inc
-rwsr-sr-x   1 root     mail        82972 Oct 15 18:06 /usr/bin/mh/inc
[tascon@archivald]$ /usr/bin/mh/inc
inc: no mail to incorporate
[tascon@archivald]$ /usr/bin/mh/inc -host XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX[...]
XXXXX      <---- (2000 X's here)
Segmentation fault

^^^^^^^^^^^^^^^^^^   Dangerous isn't it?

   Local exploit exists for that option. Note that MH isn't even configured.
It's as the installation of RedHat 5.0 left it. Note also that MH is intalled
by deffect with RedHat 5.0.

Solution: Uninstall this package or remove the suid-bit until patch becomes
          available.

MH also installs another suid-program: msgchk. It's also posible to get a
Segmentation fault whith the same option, but I haven't been able to exploit
it. I have worked on it quite a few. Could someone probe it a little deeper??

  Greetings


----o-------------------------------o-------------------------------------o----
  Space reserved to describe      /          Cesar Tascon Alvarez
    my job when I got one.      /       University of Valladolid (SPAIN)
 Yes, I'm just a student ;)   /               tascon@gui.uva.es
----o-----------------------o---------------------------------------------o----

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]