COMMAND

    /usr/bin/mh/inc
    /usr/bin/mh/msgchk

SYSTEMS AFFECTED

    RedHat 2.1 linux distribution

PROBLEM

    There  is  a  security  hole  in  Red  Hat  2.1,  which   installs
    /usr/bin/mh/inc and /usr/bin/mh/msgchk suid root.  These  programs
    are configured  suid root  in order  to bind  to a privileged port
    for  rpop  authentication.   However,  there  is  a   non-security
    conflict between mh and the  default Red Hat 2.1 configuration  in
    that the /etc/services lists pop-2 and pop-3 services, but the  mh
    utilities  do  lookups  for  a  pop  service, which doesn't exist,
    resulting in  an inability  to use  any of  the pop functionality.
    This  may  be  a  fortunate  bug,  since there may be more serious
    security holes within the pop functions of these two program.

    The  security  hole  present  in  these  two programs is that when
    opening up the configuration  files in the user's  home directory,
    root privileges are maintained,  and symbolic links are  followed.
    This allows an arbitrary file  to to be opened.   Fortunately, the
    program does not simply dump  the contents of this file  anywhere,
    and  only  certain  formatting  is  allowed  in  the  file  to  be
    processed by  the program  in order  to see  any output.   In  the
    cases where it will be processed, only the first line of the  file
    will actually be output  to the user.   Author of this is  Dave M.
    (davem@cmu.edu)

    Exploit:

        $ ln -s FILE_TO_READ ~/.mh_profile
        $ /usr/bin/mh/msgchk

SOLUTION

    Turn suid bit off.

        chmod -s /usr/bin/mh/inc /usr/bin/mh/msgchk