Security holes in Metamail

Description:Some metamail scripts (such as sun-audio-file) call innapropriate helper-apps (like uudecode) which allow things like overwriting files on the system.
Author:Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
Compromise:Obtain access to the account running metamail.
Vulnerable Systems:Those running vulnerable versions of metamail (often Elm users). Redhat linux 4.x uses metamail in some cases.
Date:24 October 1997

Date: Fri, 24 Oct 1997 22:42:11 +0100
From: Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
Subject: Vulnerability in metamail

Ok Im sure the topic "vulnerability in metamail" has those who've been near
the code at the very least unsuprised. The right things to do with metamail
are either

        a) Use it as a course example on why not to write programs in sh
        b) Throw it out and write it in C

For the moment however this one appears to be covered ok by using
uudecode's -o option to force the output file.

A couple of scripts in metamail (notably sun-audio-file) blindly uudecode
something assuming the filename will be reasonable. It does do things
in a /tmp dir but if you know someones home dir and bung in a full path
then suprise suprise it uudecodes where asked - so you can send people
sun-audio-file .rhosts for example.

It seems to be sufficient to change from

if (! $?METAMAIL_TMPDIR) then
    set METAMAIL_TMPDIR=/tmp

uudecode < $1
audiotool audio-file

To use

uudecode <$1 -o audio-file

This isnt the only problem file tho.

This seems affect anybody using metamail - thats generally folks using Elm
and things like Andrew in some cases. Several Linux distributions ship
a metamail kit. A fix for Redhat 4.x is now available on


More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: