home *** CD-ROM | disk | FTP | other *** search
-
- There is a security hole in Red Hat 2.1, which installs /usr/bin/mh/inc
- and /usr/bin/mh/msgchk suid root. These programs are configured suid root
- in order to bind to a privileged port for rpop authentication. However,
- there is a non-security conflict between mh and the default Red Hat 2.1
- configuration in that the /etc/services lists pop-2 and pop-3 services, but
- the mh utilities do lookups for a pop service, which doesn't exist, resulting
- in an inability to use any of the pop functionality. This may be a fortunate
- bug, since there may be more serious security holes within the pop functions
- of these two program.
- The security hole present in these two programs is that when opening
- up the configuration files in the user's home directory, root privileges
- are maintained, and symbolic links are followed. This allows an arbitrary
- file to to be opened. Fortunately, the program does not simply dump the
- contents of this file anywhere, and only certain formatting is allowed in
- the file to be processed by the program in order to see any output. In
- the cases where it will be processed, only the first line of the file will
- actually be output to the user.
-
- Program: /usr/bin/mh/inc, /usr/bin/mh/msgchk
- Affected Operating Systems: RedHat 2.1 linux distribution
- Requirements: account on system
- Patch: chmod -s /usr/bin/mh/inc /usr/bin/mh/msgchk
- Security Compromise: read 1st line of some arbitrary files
- Author: Dave M. (davem@cmu.edu)
- Synopsis: inc & msgchk fail to check file permissions
- before opening user configuration files
- in the user's home directory, allowing a user
- on the system to read the first line of any
- file on the system with some limitations.
-
- Exploit:
- $ ln -s FILE_TO_READ ~/.mh_profile
- $ /usr/bin/mh/msgchk
-
-
-
-
-
-
