Re: Security Problem in MH 6.8.4

mparson@SMARTNAP.COM
Mon, 19 Jan 1998 14:35:21 -0600

In message <Pine.LNX.3.93.980119164955.9902A-100000@enete.gui.uva.es>, you writ
e:
> Description:
> Due to lack of security checks there is a standard stack smashing probl
> em.
> Local user can execute code as root.
>
> Let's see.

<descrip of exploit removed>

> Local exploit exists for that option. Note that MH isn't even configured.
> It's as the installation of RedHat 5.0 left it. Note also that MH is intalled
> by deffect with RedHat 5.0.
>
> Solution: Uninstall this package or remove the suid-bit until patch becomes
> available.

How about:

Remove suid bit from inc.

Instead, use popclient to retrieve mail and procmail/rcvstore to deliver
the messages into the MH mailboxes. This still allows users to use inc
to suck in mbox format mailboxes.

The popclient package is also installed by default with RedHat (at least it
was with 4.2, I haven't installed 5.0 yet).

> MH also installs another suid-program: msgchk. It's also posible to get a
> Segmentation fault whith the same option, but I haven't been able to exploit
> it. I have worked on it quite a few. Could someone probe it a little deeper??
>
> Greetings

--
Michael Parson
News Admin
SMART-NAP