I suspect that this is only a bug in RedHat 5.0
PrinceC
princectrl@rocketmail.com
---Cesar Tascon Alvarez <tascon@ENETE.GUI.UVA.ES> wrote:
>
> Description:
> Due to lack of security checks there is a standard stack
smashing problem.
> Local user can execute code as root.
>
> Let's see.
>
> [tascon@archivald]$ id
> uid=500(tascon) gid=500(tascon) groups=500(tascon),100(users)
> [tascon@archivald]$ cat /etc/redhat-release
> release 5.0 (Hurricane)
> [tascon@archivald]$ ls -l /usr/bin/mh/inc
> -rwsr-sr-x 1 root mail 82972 Oct 15 18:06 /usr/bin/mh/inc
> [tascon@archivald]$ /usr/bin/mh/inc
> inc: no mail to incorporate
> [tascon@archivald]$ /usr/bin/mh/inc -host
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX[...]
> XXXXX <---- (2000 X's here)
> Segmentation fault
>
> ^^^^^^^^^^^^^^^^^^ Dangerous isn't it?
>
> Local exploit exists for that option. Note that MH isn't even
configured.
> It's as the installation of RedHat 5.0 left it. Note also that MH is
intalled
> by deffect with RedHat 5.0.
>
> Solution: Uninstall this package or remove the suid-bit until patch
becomes
> available.
>
> MH also installs another suid-program: msgchk. It's also posible to
get a
> Segmentation fault whith the same option, but I haven't been able to
exploit
> it. I have worked on it quite a few. Could someone probe it a little
deeper??
>
> Greetings
>
>
>
----o-------------------------------o-------------------------------------o----
> Space reserved to describe / Cesar Tascon Alvarez
> my job when I got one. / University of Valladolid
(SPAIN)
> Yes, I'm just a student ;) / tascon@gui.uva.es
>
----o-----------------------o---------------------------------------------o----
>
_________________________________________________________
DO YOU YAHOO!?
Get your free @yahoo.com address at http://mail.yahoo.com