I looked at the debian mh and noticed it was suid group with the group mail and although I'm not sure that a non root user can newgrp to mail (I tried and it didn't work) I changed inc and msgchk to rwxr-xr-x (instead of rwxr-sr-x). Does anyone know if what I did could create any problems?? Did I fix any problems??? It seems to me that as long as I own my /var/spool/mail file inc and msgchk don't need to be suid.
------- Forwarded Message Return-Path: [EMAIL PROTECTED] X-Delivered: at request of mail on tinuviel Received: from smtp.gte.net ([207.115.153.29]) by tinuviel.cs.wcu.edu (8.8.5/8.8.5) with ESMTP id OAA11712 for <[EMAIL PROTECTED]>; Wed, 23 Apr 1997 14:37:43 -0400 Received: from russkiy ([EMAIL PROTECTED] [153.35.193.225]) by smtp.gte.net (SMI-8.6/SMI-SVR4) with SMTP id NAA19793; Wed, 23 Apr 1997 13:37:41 -0500 (CDT) Message-ID: <[EMAIL PROTECTED]> Date: Wed, 23 Apr 1997 14:37:46 -0400 From: RuSSKIy <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Security Holes Content-Type: multipart/mixed; boundary="------------150C4FA07A45" This is a multi-part message in MIME format. - --------------150C4FA07A45 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit http://www.123.net/~onkyo/files/exploits/linux-mh.asc - --------------150C4FA07A45 Content-Type: text/plain; charset=us-ascii; name="linux-mh.asc" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="linux-mh.asc" There is a security hole in Red Hat 2.1, which installs /usr/bin/mh/inc and /usr/bin/mh/msgchk suid root. These programs are configured suid root in order to bind to a privileged port for rpop authentication. However, there is a non-security conflict between mh and the default Red Hat 2.1 configuration in that the /etc/services lists pop-2 and pop-3 services, but the mh utilities do lookups for a pop service, which doesn't exist, resulting in an inability to use any of the pop functionality. This may be a fortunate bug, since there may be more serious security holes within the pop functions of these two program. The security hole present in these two programs is that when opening up the configuration files in the user's home directory, root privileges are maintained, and symbolic links are followed. This allows an arbitrary file to to be opened. Fortunately, the program does not simply dump the contents of this file anywhere, and only certain formatting is allowed in the file to be processed by the program in order to see any output. In the cases where it will be processed, only the first line of the file will actually be output to the user. Program: /usr/bin/mh/inc, /usr/bin/mh/msgchk Affected Operating Systems: RedHat 2.1 linux distribution Requirements: account on system Patch: chmod -s /usr/bin/mh/inc /usr/bin/mh/msgchk Security Compromise: read 1st line of some arbitrary files Author: Dave M. ([EMAIL PROTECTED]) Synopsis: inc & msgchk fail to check file permissions before opening user configuration files in the user's home directory, allowing a user on the system to read the first line of any file on the system with some limitations. Exploit: $ ln -s FILE_TO_READ ~/.mh_profile $ /usr/bin/mh/msgchk - --------------150C4FA07A45-- ------- End of Forwarded Message -- Jason Killen Question Stupidity Mama's don't let your babies grow up to be Linux hackers Monolith : the new ANSI standard for humans PGP fingerprint = 64 71 48 14 31 AE C6 70 E4 4F 64 EB 3B AA 00 6B [EMAIL PROTECTED] -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .