Bug 15626

Summary: /bin/mail + suidperl = rootshell
Product: [Retired] Red Hat Linux Reporter: Philip Rowlands <phr>
Component: mailxAssignee: Florian La Roche <laroche>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: high    
Version: 6.2CC: gafton
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: i386   
OS: Linux   
URL: http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26date%3D2000-08-01%26msg%3DPine.LNX.4.21.0008051825300.26685-101000%40dione.ids.pl
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2000-08-07 17:29:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Philip Rowlands 2000-08-07 10:26:23 UTC
Seems no-one else has posted this yet, so here goes:

A Bugtraq posting explains how local users can gain root access on any
RH6.x system by exploiting a bad interaction between /bin/mail's
undocumented "interactive" feature, and suidperl's tendency to mail root
when it detects a changed script.

The URL is posted into the bugzilla URL field above.

Mail should not allow shell escapes in a SUID context. (It should probably
document the "interactive" feature as well)

Comment 1 Philip Rowlands 2000-08-07 17:29:37 UTC
This duplicates bug ids 15630 and 15641

Comment 2 Pekka Savola 2000-08-08 08:47:32 UTC

*** This bug has been marked as a duplicate of 15625 ***