Some metamail scripts (such as sun-audio-file) call innapropriate helper-apps (like uudecode) which allow things like overwriting files on the system.
Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
Obtain access to the account running metamail.
Those running vulnerable versions of metamail (often Elm users). Redhat linux 4.x uses metamail in some cases.
24 October 1997
Date: Fri, 24 Oct 1997 22:42:11 +0100
From: Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
Subject: Vulnerability in metamail
Ok Im sure the topic "vulnerability in metamail" has those who've been near
the code at the very least unsuprised. The right things to do with metamail
a) Use it as a course example on why not to write programs in sh
b) Throw it out and write it in C
For the moment however this one appears to be covered ok by using
uudecode's -o option to force the output file.
A couple of scripts in metamail (notably sun-audio-file) blindly uudecode
something assuming the filename will be reasonable. It does do things
in a /tmp dir but if you know someones home dir and bung in a full path
then suprise suprise it uudecodes where asked - so you can send people
sun-audio-file .rhosts for example.
It seems to be sufficient to change from
if (! $?METAMAIL_TMPDIR) then
uudecode < $1
uudecode <$1 -o audio-file
This isnt the only problem file tho.
This seems affect anybody using metamail - thats generally folks using Elm
and things like Andrew in some cases. Several Linux distributions ship
a metamail kit. A fix for Redhat 4.x is now available on ftp.redhat.com.
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces: