Re: Security Problem in MH 6.8.4

mparson@SMARTNAP.COM
Mon, 19 Jan 1998 14:35:21 -0600

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: satan: "Buffer overflow in Yapp Conferencing System..."
Previous message: Aggelos P. Varvitsiotis: "Re: Solaris ftpd D.O.S."
Maybe in reply to: Cesar Tascon Alvarez: "Security Problem in MH 6.8.4"
Next in thread: Cy Schubert - ITSD Open Systems Group: "Re: Security Problem in MH 6.8.4"

In message <Pine.LNX.3.93.980119164955.9902A-100000@enete.gui.uva.es>, you writ
e:
> Description:
> Due to lack of security checks there is a standard stack smashing probl
> em.
> Local user can execute code as root.
>
> Let's see.

> Local exploit exists for that option. Note that MH isn't even configured.
> It's as the installation of RedHat 5.0 left it. Note also that MH is intalled
> by deffect with RedHat 5.0.
>
> Solution: Uninstall this package or remove the suid-bit until patch becomes
> available.

How about:

Remove suid bit from inc.

Instead, use popclient to retrieve mail and procmail/rcvstore to deliver
the messages into the MH mailboxes. This still allows users to use inc
to suck in mbox format mailboxes.

The popclient package is also installed by default with RedHat (at least it
was with 4.2, I haven't installed 5.0 yet).

> MH also installs another suid-program: msgchk. It's also posible to get a
> Segmentation fault whith the same option, but I haven't been able to exploit
> it. I have worked on it quite a few. Could someone probe it a little deeper??
>
> Greetings

--
Michael Parson
News Admin
SMART-NAP

Next message: satan: "Buffer overflow in Yapp Conferencing System..."
Previous message: Aggelos P. Varvitsiotis: "Re: Solaris ftpd D.O.S."
Maybe in reply to: Cesar Tascon Alvarez: "Security Problem in MH 6.8.4"
Next in thread: Cy Schubert - ITSD Open Systems Group: "Re: Security Problem in MH 6.8.4"