Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormSw3PACKETSTORM:12262
HistoryAug 17, 1999 - 12:00 a.m.

poc.mail.local.txt

1999-08-1700:00:00
sw3
packetstormsecurity.com
36
JSON
`Proof of Concept - Security Advisory 02/15/99  
http://poc.csoft.net Released by  
[email protected] [email protected]  
  
---  
  
Affected Program mail.local (Berkeley Sendmail)  
Description Local mailer (forward mail to mailboxes)  
Severity Mailbox compromise  
  
  
Synopsis:  
  
mail.local is a small program distributed with Berkeley Sendmail,  
used as a local mailer (forwards mail to mailboxes), also able to  
handle LMTP commands. It runs SUID root in order to access the  
users's mailbox (ie. /var/spool/mail, /usr/spool/mail).  
  
Overview:  
  
When mail has to be written to a user's mailbox locally, a local  
mailer is used; the mail.local program that comes with Sendmail  
does this task, but does not restrict the length of a message, or  
does not check the authenticity of the user who sends it.  
  
This is obviously not a big security issue - but still, it has to  
get fixed, as this could lead to more serious problem if used  
on a system with lots of e-mail accounts.  
  
Problem:  
  
This can lead to the compromising of anybody's mailbox - from fake  
(and totally untraceable messages), to flooding the mailbox (and  
maybe the hard drive). I found this by inspecting the source code for  
buffer overflows heh.  
  
Say I wanted to send a fake message like it was coming from root  
to user joe, simply running  
mail.local -f root joe  
<message+eof>  
could do it. mail.local simply dumps the message as you enter  
it in the user's maibox.  
  
Since mail.local does not checks for message length, you can  
flood a mailbox (and possibly the hard drive) in a matter of seconds.  
  
Finally, mail.local only check if a user exists by using /etc/passwd,  
that means anybody could create mailboxes for users like bin, nobody,  
etc (usually it's no security compromise).  
  
Examples:  
[http://poc.csoft.net/advs/mail.local/mailfrm.tar.gz]  
[http://poc.csoft.net/advs/mail.local/junk.tar.gz]  
  
Patch/Fix:  
[http://poc.csoft.net/advs/mail.local/mail.local.diff]  
  
Status:  
  
I contacted the authors about this, since this is not a big security  
concern for most people it's not a hurry =p. I made a quick-and-dirty  
patch that logs attempt to send messages bigger than X to syslog (you  
really should adapt it to your system if you want to use it).  
I really had nothing to do today.  
  
.sw3  
`
JSON