Bug#2347: mh security (was: forwarded message from David J. Meltzer)

To: Debian bugs submission address <debian-bugs@Pixar.com>
Subject: Bug#2347: mh security (was: forwarded message from David J. Meltzer)
From: Ian Jackson <ian@chiark.chu.cam.ac.uk>
Date: Sat, 17 Feb 96 19:42 GMT
Message-id: <[🔎] m0tnsWg-0002YNC@chiark.chu.cam.ac.uk>
Reply-to: Ian Jackson <ian@chiark.chu.cam.ac.uk>, debian-bugs@Pixar.com

Package: mh
Version: 6.8.3-2

/usr/bin/mh/{inc,msgchk} should not be setgid root, until this problem
is resolved.  sgid mail would probably be appropriate in the meantime.

Ian.

------- start of forwarded message (RFC 934 encapsulation) -------
Article: 406 of chiark.mail.linux-security
Message-ID: <Ql1jI7i00iVGQDAFdS@andrew.cmu.edu>
From: David J Meltzer <davem+@andrew.cmu.edu>
To: linux-security@tarsier.cv.nrao.edu, linux-alert@tarsier.cv.nrao.edu
Subject: Red Hat mh inc/msgchk security hole
Date: Fri, 26 Jan 1996 21:32:08 GMT

[mod: This is not a terribly dangerous hole, but I'm approving this to
	linux-alert nevertheless. Making tools such as mail readers
	setuid root is a bad idea, anyway (IMHO).

	Marc Ewing has made an updated RPM available at ftp.redhat.com
	as /pub/redhat-2.1/i386/updates/RPMS/mh-6.8.3-4.i386.rpm
	Its MD5 sum is 32d61477bc9facfbad7315598d5dee91.
					--okir]

   There is a security hole in Red Hat 2.1, which installs /usr/bin/mh/inc
and /usr/bin/mh/msgchk suid root.  These programs are configured suid root
in order to bind to a privileged port for rpop authentication.  However,
there is a non-security conflict between mh and the default Red Hat 2.1
configuration in that the /etc/services lists pop-2 and pop-3 services, but
the mh utilities do lookups for a pop service, which doesn't exist, resulting
in an inability to use any of the pop functionality.  This may be a fortunate
bug, since there may be more serious security holes within the pop functions
of these two program.
   The security hole present in these two programs is that when opening
up the configuration files in the user's home directory, root privileges
are maintained, and symbolic links are followed.  This allows an arbitrary
file to to be opened.  Fortunately, the program does not simply dump the
contents of this file anywhere, and only certain formatting is allowed in
the file to be processed by the program in order to see any output.  In
the cases where it will be processed, only the first line of the file will
actually be output to the user.

                   Program: /usr/bin/mh/inc, /usr/bin/mh/msgchk
Affected Operating Systems: RedHat 2.1 linux distribution
              Requirements: account on system
                     Patch: chmod -s /usr/bin/mh/inc /usr/bin/mh/msgchk
       Security Compromise: read 1st line of some arbitrary files
                    Author: Dave M. (davem@cmu.edu)
                  Synopsis: inc & msgchk fail to check file permissions
                            before opening user configuration files
                            in the user's home directory, allowing a user
                            on the system to read the first line of any
                            file on the system with some limitations.

Exploit:
$ ln -s FILE_TO_READ ~/.mh_profile
$ /usr/bin/mh/msgchk





       /-------------\
       |David Meltzer|
       |davem@cmu.edu|
 /--------------------------\
 |School of Computer Science|
 |Carnegie Mellon University|
 \--------------------------/

------- end -------

Reply to:

Prev by Date: Bug#2341: Install problems
Next by Date: Re: Keeping system up to date
Previous by thread: Bug#2346: MH can lose mail
Next by thread: chopping down libc
Index(es):
- Date
- Thread