COMMAND

    ELM 2.4 PL24

SYSTEMS AFFECTED

    Linux and possible others

PROBLEM

    The vulnerability described below is variation to a  vulnerability
    described on these pages under Linux section as 'filter'.  Anyway,
    take a look.

    There is  an Elm  feature which  allows you  to overwrite anyone's
    files  (provided  that  certain  conditions  are met). When Elm is
    started,  it  creates  /tmp/mbox.Mailbox,  which  is there only to
    tell it that  a copy of  Elm is running.  When you go  to "m)ail a
    message",   two   more   files   are   created:  /tmp/snd.PID  and
    /tmp/est.PID, where PID  is the PID  of that Elm  process. snd.PID
    is  the  tempfile  where  the  actual  message  you're  writing is
    stored,  and  est.PID  contains  some  sort of temporary data. The
    problem lies in the fact  that Elm doesn't check if  these already
    exist, and the filenames are quite predictable.

    If  you  are  so  inclined,  you  could  write  a  program to keep
    checking if people are starting  Elm, and when someone does,  make
    appropriate   hard    links,   for    example   /tmp/est.PID    ->
    /home/victim/important_file, and when  the victim goes  to compose
    a new message, his important_file will be trash.

    Another thing this can be used for is stealing the person's  mail.
    If you  hardlink /tmp/snd.PID  to a  world writable  file owned by
    you, the message that  the user writes will  be written to it  and
    elm wont have  permission to remove  it (since its  owned by you),
    so you end up with the mail that the victim sent. Its possible  to
    set up a  daemon to grab  ALL outgoing mail  of a user,  this way.
    Credit goest to fflush.

SOLUTION

    2.4 PL25 came out in December, 1995.  It may be found at:

        ftp://ftp.myxa.com/pub/elm/elm2.4.tar.Z

    2.4 PL25 is still the current release.  2.5 is in beta test.