I looked at the debian mh and noticed it was suid group with the group mail
and although I'm not sure that a non root user can newgrp to mail (I tried
and it didn't work) I changed inc and msgchk to rwxr-xr-x (instead of
rwxr-sr-x). Does anyone know if what I did could create any problems??
Did I fix any problems??? It seems to me that as long as I own my
/var/spool/mail file inc and msgchk don't need to be suid.
------- Forwarded Message
Return-Path: [EMAIL PROTECTED]
X-Delivered: at request of mail on tinuviel
Received: from smtp.gte.net ([207.115.153.29])
by tinuviel.cs.wcu.edu (8.8.5/8.8.5) with ESMTP id OAA11712
for <[EMAIL PROTECTED]>; Wed, 23 Apr 1997 14:37:43 -0400
Received: from russkiy ([EMAIL PROTECTED] [153.35.193.225])
by smtp.gte.net (SMI-8.6/SMI-SVR4) with SMTP id NAA19793;
Wed, 23 Apr 1997 13:37:41 -0500 (CDT)
Message-ID: <[EMAIL PROTECTED]>
Date: Wed, 23 Apr 1997 14:37:46 -0400
From: RuSSKIy <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
X-Mailer: Mozilla 3.0 (Win95; I)
MIME-Version: 1.0
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Security Holes
Content-Type: multipart/mixed; boundary="------------150C4FA07A45"
This is a multi-part message in MIME format.
- --------------150C4FA07A45
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
http://www.123.net/~onkyo/files/exploits/linux-mh.asc
- --------------150C4FA07A45
Content-Type: text/plain; charset=us-ascii; name="linux-mh.asc"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="linux-mh.asc"
There is a security hole in Red Hat 2.1, which installs /usr/bin/mh/inc
and /usr/bin/mh/msgchk suid root. These programs are configured suid root
in order to bind to a privileged port for rpop authentication. However,
there is a non-security conflict between mh and the default Red Hat 2.1
configuration in that the /etc/services lists pop-2 and pop-3 services, but
the mh utilities do lookups for a pop service, which doesn't exist, resulting
in an inability to use any of the pop functionality. This may be a fortunate
bug, since there may be more serious security holes within the pop functions
of these two program.
The security hole present in these two programs is that when opening
up the configuration files in the user's home directory, root privileges
are maintained, and symbolic links are followed. This allows an arbitrary
file to to be opened. Fortunately, the program does not simply dump the
contents of this file anywhere, and only certain formatting is allowed in
the file to be processed by the program in order to see any output. In
the cases where it will be processed, only the first line of the file will
actually be output to the user.
Program: /usr/bin/mh/inc, /usr/bin/mh/msgchk
Affected Operating Systems: RedHat 2.1 linux distribution
Requirements: account on system
Patch: chmod -s /usr/bin/mh/inc /usr/bin/mh/msgchk
Security Compromise: read 1st line of some arbitrary files
Author: Dave M. ([EMAIL PROTECTED])
Synopsis: inc & msgchk fail to check file permissions
before opening user configuration files
in the user's home directory, allowing a user
on the system to read the first line of any
file on the system with some limitations.
Exploit:
$ ln -s FILE_TO_READ ~/.mh_profile
$ /usr/bin/mh/msgchk
- --------------150C4FA07A45--
------- End of Forwarded Message
--
Jason Killen Question Stupidity
Mama's don't let your babies grow up to be Linux hackers
Monolith : the new ANSI standard for humans
PGP fingerprint = 64 71 48 14 31 AE C6 70 E4 4F 64 EB 3B AA 00 6B
[EMAIL PROTECTED]
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
[EMAIL PROTECTED] .
Trouble? e-mail to [EMAIL PROTECTED] .
