15626 – /bin/mail + suidperl = rootshell

Bug 15626 - /bin/mail + suidperl = rootshell

Summary: /bin/mail + suidperl = rootshell

Keywords:
Status:	CLOSED DUPLICATE of bug 15625
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	mailx
Sub Component:
Version:	6.2
Hardware:	i386
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	---
Assignee:	Florian La Roche
QA Contact:
Docs Contact:
URL:	http://www.securityfocus.com/frames/?...
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2000-08-07 10:26 UTC by Philip Rowlands
Modified:	2008-05-01 15:37 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2000-08-07 17:29:39 UTC
Embargoed:

Attachments	(Terms of Use)

Description Philip Rowlands 2000-08-07 10:26:23 UTC

Seems no-one else has posted this yet, so here goes:

A Bugtraq posting explains how local users can gain root access on any
RH6.x system by exploiting a bad interaction between /bin/mail's
undocumented "interactive" feature, and suidperl's tendency to mail root
when it detects a changed script.

The URL is posted into the bugzilla URL field above.

Mail should not allow shell escapes in a SUID context. (It should probably
document the "interactive" feature as well)

Comment 1 Philip Rowlands 2000-08-07 17:29:37 UTC

This duplicates bug ids 15630 and 15641

Comment 2 Pekka Savola 2000-08-08 08:47:32 UTC


*** This bug has been marked as a duplicate of 15625 ***

Note You need to log in before you can comment on or make changes to this bug.