`Proof of Concept - Security Advisory 02/15/99
http://poc.csoft.net Released by
[email protected][email protected]
---
Affected Program mail.local (Berkeley Sendmail)
Description Local mailer (forward mail to mailboxes)
Severity Mailbox compromise
Synopsis:
mail.local is a small program distributed with Berkeley Sendmail,
used as a local mailer (forwards mail to mailboxes), also able to
handle LMTP commands. It runs SUID root in order to access the
users's mailbox (ie. /var/spool/mail, /usr/spool/mail).
Overview:
When mail has to be written to a user's mailbox locally, a local
mailer is used; the mail.local program that comes with Sendmail
does this task, but does not restrict the length of a message, or
does not check the authenticity of the user who sends it.
This is obviously not a big security issue - but still, it has to
get fixed, as this could lead to more serious problem if used
on a system with lots of e-mail accounts.
Problem:
This can lead to the compromising of anybody's mailbox - from fake
(and totally untraceable messages), to flooding the mailbox (and
maybe the hard drive). I found this by inspecting the source code for
buffer overflows heh.
Say I wanted to send a fake message like it was coming from root
to user joe, simply running
mail.local -f root joe
<message+eof>
could do it. mail.local simply dumps the message as you enter
it in the user's maibox.
Since mail.local does not checks for message length, you can
flood a mailbox (and possibly the hard drive) in a matter of seconds.
Finally, mail.local only check if a user exists by using /etc/passwd,
that means anybody could create mailboxes for users like bin, nobody,
etc (usually it's no security compromise).
Examples:
[http://poc.csoft.net/advs/mail.local/mailfrm.tar.gz]
[http://poc.csoft.net/advs/mail.local/junk.tar.gz]
Patch/Fix:
[http://poc.csoft.net/advs/mail.local/mail.local.diff]
Status:
I contacted the authors about this, since this is not a big security
concern for most people it's not a hurry =p. I made a quick-and-dirty
patch that logs attempt to send messages bigger than X to syslog (you
really should adapt it to your system if you want to use it).
I really had nothing to do today.
.sw3
`