OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 1st quarter (Jan-Mar) 1998: Re: Security Problem in MH 6.8.4

Re: Security Problem in MH 6.8.4

Prince Ctrl (princectrlROCKETMAIL.COM)
Mon, 19 Jan 1998 13:46:10 -0800

The output with ln -l is the same on a default RedHat 4.2
install.....after trying the same thing with it, nothing happened....I
got an error of "No servers available"....Trying with 2400 X's yielded
the same results.

I suspect that this is only a bug in RedHat 5.0




PrinceC
princectrlrocketmail.com





---Cesar Tascon Alvarez <tasconENETE.GUI.UVA.ES> wrote:
>
>   Description:
>       Due to lack of security checks there is a standard stack
smashing problem.
> Local user can execute code as root.
>
>     Let's see.
>
> [tasconarchivald]$ id
> uid=500(tascon) gid=500(tascon) groups=500(tascon),100(users)
> [tasconarchivald]$ cat /etc/redhat-release
> release 5.0 (Hurricane)
> [tasconarchivald]$ ls -l /usr/bin/mh/inc
> -rwsr-sr-x   1 root     mail        82972 Oct 15 18:06 /usr/bin/mh/inc
> [tasconarchivald]$ /usr/bin/mh/inc
> inc: no mail to incorporate
> [tasconarchivald]$ /usr/bin/mh/inc -host
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX[...]
> XXXXX      <---- (2000 X's here)
> Segmentation fault
>
> ^^^^^^^^^^^^^^^^^^   Dangerous isn't it?
>
>    Local exploit exists for that option. Note that MH isn't even
configured.
> It's as the installation of RedHat 5.0 left it. Note also that MH is
intalled
> by deffect with RedHat 5.0.
>
> Solution: Uninstall this package or remove the suid-bit until patch
becomes
>           available.
>
> MH also installs another suid-program: msgchk. It's also posible to
get a
> Segmentation fault whith the same option, but I haven't been able to
exploit
> it. I have worked on it quite a few. Could someone probe it a little
deeper??
>
>   Greetings
>
>
>
----o-------------------------------o-------------------------------------o----
>   Space reserved to describe      /          Cesar Tascon Alvarez
>     my job when I got one.      /       University of Valladolid
(SPAIN)
>  Yes, I'm just a student ;)   /               tascongui.uva.es
>
----o-----------------------o---------------------------------------------o----
>

_________________________________________________________
DO YOU YAHOO!?
Get your free yahoo.com address at http://mail.yahoo.com