Proof of Concept - Security Advisory 02/15/99 http://poc.csoft.net Released by poc@csoft.net sw3wn@poc.csoft.net --- Affected Program mail.local (Berkeley Sendmail) Description Local mailer (forward mail to mailboxes) Severity Mailbox compromise Synopsis: mail.local is a small program distributed with Berkeley Sendmail, used as a local mailer (forwards mail to mailboxes), also able to handle LMTP commands. It runs SUID root in order to access the users's mailbox (ie. /var/spool/mail, /usr/spool/mail). Overview: When mail has to be written to a user's mailbox locally, a local mailer is used; the mail.local program that comes with Sendmail does this task, but does not restrict the length of a message, or does not check the authenticity of the user who sends it. This is obviously not a big security issue - but still, it has to get fixed, as this could lead to more serious problem if used on a system with lots of e-mail accounts. Problem: This can lead to the compromising of anybody's mailbox - from fake (and totally untraceable messages), to flooding the mailbox (and maybe the hard drive). I found this by inspecting the source code for buffer overflows heh. Say I wanted to send a fake message like it was coming from root to user joe, simply running mail.local -f root joe could do it. mail.local simply dumps the message as you enter it in the user's maibox. Since mail.local does not checks for message length, you can flood a mailbox (and possibly the hard drive) in a matter of seconds. Finally, mail.local only check if a user exists by using /etc/passwd, that means anybody could create mailboxes for users like bin, nobody, etc (usually it's no security compromise). Examples: [http://poc.csoft.net/advs/mail.local/mailfrm.tar.gz] [http://poc.csoft.net/advs/mail.local/junk.tar.gz] Patch/Fix: [http://poc.csoft.net/advs/mail.local/mail.local.diff] Status: I contacted the authors about this, since this is not a big security concern for most people it's not a hurry =p. I made a quick-and-dirty patch that logs attempt to send messages bigger than X to syslog (you really should adapt it to your system if you want to use it). I really had nothing to do today. .sw3