Bug 15626 - /bin/mail + suidperl = rootshell
Summary: /bin/mail + suidperl = rootshell
Status: CLOSED DUPLICATE of bug 15625
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: mailx
Version: 6.2
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Florian La Roche
QA Contact:
URL: http://www.securityfocus.com/frames/?...
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2000-08-07 10:26 UTC by Philip Rowlands
Modified: 2008-05-01 15:37 UTC (History)
1 user (show)

Clone Of:
Last Closed: 2000-08-07 17:29:39 UTC

Attachments (Terms of Use)

Description Philip Rowlands 2000-08-07 10:26:23 UTC
Seems no-one else has posted this yet, so here goes:

A Bugtraq posting explains how local users can gain root access on any
RH6.x system by exploiting a bad interaction between /bin/mail's
undocumented "interactive" feature, and suidperl's tendency to mail root
when it detects a changed script.

The URL is posted into the bugzilla URL field above.

Mail should not allow shell escapes in a SUID context. (It should probably
document the "interactive" feature as well)

Comment 1 Philip Rowlands 2000-08-07 17:29:37 UTC
This duplicates bug ids 15630 and 15641

Comment 2 Pekka Savola 2000-08-08 08:47:32 UTC

*** This bug has been marked as a duplicate of 15625 ***

Note You need to log in before you can comment on or make changes to this bug.