home *** CD-ROM | disk | FTP | other *** search
-
-
-
-
- There is a security hole in Red Hat 2.1, which installs /usr/bin/mh/inc
-
- and /usr/bin/mh/msgchk suid root. These programs are configured suid root
-
- in order to bind to a privileged port for rpop authentication. However,
-
- there is a non-security conflict between mh and the default Red Hat 2.1
-
- configuration in that the /etc/services lists pop-2 and pop-3 services, but
-
- the mh utilities do lookups for a pop service, which doesn't exist, resulting
-
- in an inability to use any of the pop functionality. This may be a fortunate
-
- bug, since there may be more serious security holes within the pop functions
-
- of these two program.
-
- The security hole present in these two programs is that when opening
-
- up the configuration files in the user's home directory, root privileges
-
- are maintained, and symbolic links are followed. This allows an arbitrary
-
- file to to be opened. Fortunately, the program does not simply dump the
-
- contents of this file anywhere, and only certain formatting is allowed in
-
- the file to be processed by the program in order to see any output. In
-
- the cases where it will be processed, only the first line of the file will
-
- actually be output to the user.
-
-
-
- Program: /usr/bin/mh/inc, /usr/bin/mh/msgchk
-
- Affected Operating Systems: RedHat 2.1 linux distribution
-
- Requirements: account on system
-
- Patch: chmod -s /usr/bin/mh/inc /usr/bin/mh/msgchk
-
- Security Compromise: read 1st line of some arbitrary files
-
- Author: Dave M. (davem@cmu.edu)
-
- Synopsis: inc & msgchk fail to check file permissions
-
- before opening user configuration files
-
- in the user's home directory, allowing a user
-
- on the system to read the first line of any
-
- file on the system with some limitations.
-
-
-
- Exploit:
-
- $ ln -s FILE_TO_READ ~/.mh_profile
-
- $ /usr/bin/mh/msgchk
-
-
-
-
-
-
-
-
-
-
