Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 1st quarter (Jan-Mar) 1998: Re: Security Problem in MH 6.8.4

Re: Security Problem in MH 6.8.4

Prince Ctrl (princectrlROCKETMAIL.COM)
Mon, 19 Jan 1998 13:46:10 -0800

The output with ln -l is the same on a default RedHat 4.2
install.....after trying the same thing with it, nothing happened....I
got an error of "No servers available"....Trying with 2400 X's yielded
the same results.

I suspect that this is only a bug in RedHat 5.0


---Cesar Tascon Alvarez <tasconENETE.GUI.UVA.ES> wrote:
>   Description:
>       Due to lack of security checks there is a standard stack
smashing problem.
> Local user can execute code as root.
>     Let's see.
> [tasconarchivald]$ id
> uid=500(tascon) gid=500(tascon) groups=500(tascon),100(users)
> [tasconarchivald]$ cat /etc/redhat-release
> release 5.0 (Hurricane)
> [tasconarchivald]$ ls -l /usr/bin/mh/inc
> -rwsr-sr-x   1 root     mail        82972 Oct 15 18:06 /usr/bin/mh/inc
> [tasconarchivald]$ /usr/bin/mh/inc
> inc: no mail to incorporate
> [tasconarchivald]$ /usr/bin/mh/inc -host
> XXXXX      <---- (2000 X's here)
> Segmentation fault
> ^^^^^^^^^^^^^^^^^^   Dangerous isn't it?
>    Local exploit exists for that option. Note that MH isn't even
> It's as the installation of RedHat 5.0 left it. Note also that MH is
> by deffect with RedHat 5.0.
> Solution: Uninstall this package or remove the suid-bit until patch
>           available.
> MH also installs another suid-program: msgchk. It's also posible to
get a
> Segmentation fault whith the same option, but I haven't been able to
> it. I have worked on it quite a few. Could someone probe it a little
>   Greetings
>   Space reserved to describe      /          Cesar Tascon Alvarez
>     my job when I got one.      /       University of Valladolid
>  Yes, I'm just a student ;)   /               tascongui.uva.es

Get your free yahoo.com address at http://mail.yahoo.com