Re: local mail delivery
Neil Woods (neil@legless.demon.co.uk)
Thu, 3 Aug 1995 20:38:37 +0100
>
> I was called for help on a breakin attempt that appeared to be using
> the local mail delivery agent race on SunOS. In response, I wrote the
> following. It appears to me to be fairly tight, but I'd appreciate any
> flaws anyone can pick with it. (It does have some problems, notably
> lack of checking for malloc() failure and disk full errors. I'm
> talking about specifically security holes.)
>
> In return, I offer this to anyone who may care to use it. (Of course,
> it comes with no warranty; it's free, and you get what you pay for.)
> Unpack into a directory somewhere and compile with
> "cc -I. -o localmail *.c" or something equivalent. (You will need to
> use a prototype-capable compiler. NeXTstep 2.1 /bin/cc works, as does
> gcc 2.6.3 under SunOS 4.1.3, provided you link with something that
> provides strerror().)
>
> der Mouse
>
> mouse@collatz.mcrcim.mcgill.edu
>
I had a quick look at your code (although you're tab key appears to
be broken, and your space bar is intermitent ;-), main() doesnt look
too clever:-
{ FILE *f;
int i;
i = open("/tmp/localmail.log",O_WRONLY|O_APPEND);
if (i >= 0)
{ f = fdopen(i,"a");
fprintf(f,"[%d] uid=%d euid=%d ac=%d\n",getpid(),getuid(),geteuid(),ac);
for (i=0;av[i];i++)
{ fprintf(f,"\t%s\n",av[i]);
}
fclose(f);
}
I presume you either intend to make localmail suid root, or have sendmail
set[ug]id for you, which makes the above potentially dodgy.
Also your mkstemp() replacement is pure overkill.
Recommended code for binmail, with every known problem fixed, can be
found in:-
CERT advisory CA-95:02.binmail.vulnerabilities
and I would personally recommend it.
Cheers,
Neil
--
Let the Mystery Be, So Watcha Want, Longing In Their Hearts, Hate My Way,
M-Bike, Safari, Uncle June and Aunt Kiyoti, Daisy Dead Petals, Tuff Gnarl.
...like a badger with an afro throwing sparklers at the Pope...