SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Client)  >   mail (/usr/bin/mail) Vendors:   OpenBSD
(Openbsd Issues Fix) OpenBSD '/usr/bin/mail' May Let Local Users Execute Commands With Root Privileges By Specifying a Malicious Crontab Entry
SecurityTracker Alert ID:  1004025
SecurityTracker URL:  http://securitytracker.com/id/1004025
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 11 2002
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in '/usr/bin/mail' on OpenBSD. A local user that can specify a crontab entry may be able to cause arbitrary shell commands to be executed on the system with root level privileges.

It is reported that /usr/bin/mail allows a special escape sequence to be specified in the body of an email. This escape sequence specifies a shell comand to be executed, as described in the mail(1) man page:

~!command

This tilde escape command is not supposed to be implemented for non-interactive mode.

A local user that can specify a cron file name may be able to cause arbitrary commands to be executed with root privileges when the cron job is run.

Impact:   A local user that can specify cronttab entries may be able to cause arbitrary shell commands to be execute with root privileges, giving that user root level access to the system.
Solution:   The vendor has released a fix.

Patch for OpenBSD 3.0:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/018_mail.patch

Patch for OpenBSD 2.9:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/023_mail.patch

Vendor URL:  www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/mail/collect.c.diff?r1=1.23&r2=1.24 (Links to External Site)
Cause:   Input validation error
Underlying OS:  UNIX (OpenBSD)
Underlying OS Comments:  2.9, 3.0

Message History:   This archive entry is a follow-up to the message listed below.
Apr 11 2002 OpenBSD '/usr/bin/mail' May Let Local Users Execute Commands With Root Privileges By Specifying a Malicious Crontab Entry



 Source Message Contents

Subject:  localhost compromise in OpenBSD 2.9 and 3.0


OpenBSD 3.0 and 2.9 contain a potential localhost root compromise,
found by Milos Urbanek.  Earlier versions of OpenBSD are not affected.

The mail(1) program will process tilde escapes even when it is not
in interactive mode.  Since mail(1) is called by the default cron(8)
jobs, this can lead to a localhost root compromise.

Patch for OpenBSD 3.0:
    href="ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/018_mail.patch

Patch for OpenBSD 2.9:
    href="ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/023_mail.patch

The 3.0-stable and 2.9-stable branches will be updated with this
patch later today.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC