The only one I'm going to describe is the program'msgchk', which is suid
(on my server it's installed by default in /usr/bin/mh/msgchk (in
function checkmail), you would also want to check /usr/lib/mh/msgchk.
(You ought to look through the code yourself..I notice quite a few
bugs..this program relies heavily on buffers and enviromental variables)
This is pretty straight forward.
char *hdir, buf[BUFSIZ], *tmp;
^^^^^^^^ not sure the exact value..check the
*.h files..for test
purposes if you try to
overflow this...just use a size
of 9999, just to see if it
segfaults.
hdir = getenv("HOME");
if (hdir == NULL)
hdir = ".";
(void) sprintf(buf, "%s/.netrc", hdir);
Obviously it never even checks the value of hdir..so export your home
directory to something very large (if this doesn't work, they still
disobeyed something that libc specifically says not to do...they say to
use (can't remember the exact function) _secure_getenv,
_securelib_getenv (??) something like that..and they also said NOT to
define it to set the HOME to "." (the current path) for reasons that
someone could link .netrc to something and since it's suid... test this
yourself..I don't have too much time
Matt Conover (shok@onlinex.net
-- Shok).