Red Hat Bugzilla – Bug 15626
/bin/mail + suidperl = rootshell
Last modified: 2008-05-01 11:37:57 EDT
Seems no-one else has posted this yet, so here goes:
A Bugtraq posting explains how local users can gain root access on any
RH6.x system by exploiting a bad interaction between /bin/mail's
undocumented "interactive" feature, and suidperl's tendency to mail root
when it detects a changed script.
The URL is posted into the bugzilla URL field above.
Mail should not allow shell escapes in a SUID context. (It should probably
document the "interactive" feature as well)
This duplicates bug ids 15630 and 15641
*** This bug has been marked as a duplicate of 15625 ***