poc.mail.local.txt

1999-08-17T00:00:00
ID PACKETSTORM:12262
Type packetstorm
Reporter sw3
Modified 1999-08-17T00:00:00

Description

                                        
                                            `Proof of Concept - Security Advisory 02/15/99  
http://poc.csoft.net Released by  
poc@csoft.net sw3wn@poc.csoft.net  
  
---  
  
Affected Program mail.local (Berkeley Sendmail)  
Description Local mailer (forward mail to mailboxes)  
Severity Mailbox compromise  
  
  
Synopsis:  
  
mail.local is a small program distributed with Berkeley Sendmail,  
used as a local mailer (forwards mail to mailboxes), also able to  
handle LMTP commands. It runs SUID root in order to access the  
users's mailbox (ie. /var/spool/mail, /usr/spool/mail).  
  
Overview:  
  
When mail has to be written to a user's mailbox locally, a local  
mailer is used; the mail.local program that comes with Sendmail  
does this task, but does not restrict the length of a message, or  
does not check the authenticity of the user who sends it.  
  
This is obviously not a big security issue - but still, it has to  
get fixed, as this could lead to more serious problem if used  
on a system with lots of e-mail accounts.  
  
Problem:  
  
This can lead to the compromising of anybody's mailbox - from fake  
(and totally untraceable messages), to flooding the mailbox (and  
maybe the hard drive). I found this by inspecting the source code for  
buffer overflows heh.  
  
Say I wanted to send a fake message like it was coming from root  
to user joe, simply running  
mail.local -f root joe  
<message+eof>  
could do it. mail.local simply dumps the message as you enter  
it in the user's maibox.  
  
Since mail.local does not checks for message length, you can  
flood a mailbox (and possibly the hard drive) in a matter of seconds.  
  
Finally, mail.local only check if a user exists by using /etc/passwd,  
that means anybody could create mailboxes for users like bin, nobody,  
etc (usually it's no security compromise).  
  
Examples:  
[http://poc.csoft.net/advs/mail.local/mailfrm.tar.gz]  
[http://poc.csoft.net/advs/mail.local/junk.tar.gz]  
  
Patch/Fix:  
[http://poc.csoft.net/advs/mail.local/mail.local.diff]  
  
Status:  
  
I contacted the authors about this, since this is not a big security  
concern for most people it's not a hurry =p. I made a quick-and-dirty  
patch that logs attempt to send messages bigger than X to syslog (you  
really should adapt it to your system if you want to use it).  
I really had nothing to do today.  
  
.sw3  
`