Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

poc.mail.local.txt

🗓️ 17 Aug 1999 00:00:00Reported by sw3Type 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 57 Views

Local mailer vulnerability in mail.local can compromise mailboxes and cause flooding risks.

Code
`Proof of Concept - Security Advisory 02/15/99  
http://poc.csoft.net Released by  
[email protected] [email protected]  
  
---  
  
Affected Program mail.local (Berkeley Sendmail)  
Description Local mailer (forward mail to mailboxes)  
Severity Mailbox compromise  
  
  
Synopsis:  
  
mail.local is a small program distributed with Berkeley Sendmail,  
used as a local mailer (forwards mail to mailboxes), also able to  
handle LMTP commands. It runs SUID root in order to access the  
users's mailbox (ie. /var/spool/mail, /usr/spool/mail).  
  
Overview:  
  
When mail has to be written to a user's mailbox locally, a local  
mailer is used; the mail.local program that comes with Sendmail  
does this task, but does not restrict the length of a message, or  
does not check the authenticity of the user who sends it.  
  
This is obviously not a big security issue - but still, it has to  
get fixed, as this could lead to more serious problem if used  
on a system with lots of e-mail accounts.  
  
Problem:  
  
This can lead to the compromising of anybody's mailbox - from fake  
(and totally untraceable messages), to flooding the mailbox (and  
maybe the hard drive). I found this by inspecting the source code for  
buffer overflows heh.  
  
Say I wanted to send a fake message like it was coming from root  
to user joe, simply running  
mail.local -f root joe  
<message+eof>  
could do it. mail.local simply dumps the message as you enter  
it in the user's maibox.  
  
Since mail.local does not checks for message length, you can  
flood a mailbox (and possibly the hard drive) in a matter of seconds.  
  
Finally, mail.local only check if a user exists by using /etc/passwd,  
that means anybody could create mailboxes for users like bin, nobody,  
etc (usually it's no security compromise).  
  
Examples:  
[http://poc.csoft.net/advs/mail.local/mailfrm.tar.gz]  
[http://poc.csoft.net/advs/mail.local/junk.tar.gz]  
  
Patch/Fix:  
[http://poc.csoft.net/advs/mail.local/mail.local.diff]  
  
Status:  
  
I contacted the authors about this, since this is not a big security  
concern for most people it's not a hurry =p. I made a quick-and-dirty  
patch that logs attempt to send messages bigger than X to syslog (you  
really should adapt it to your system if you want to use it).  
I really had nothing to do today.  
  
.sw3  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Aug 1999 00:00Current
mail.local vulnerabilitymailbox compromisemessage floodingsecurity advisoryberkeley sendmailsuid root
57