COMMAND

    autoreply(1)

SYSTEMS AFFECTED

    Any system with  a standard installation  of The Elm  Mail System.
    All version are belived to have this vulnerability.

PROBLEM

    Autoreply takes  a filename  as an  argument. Then  it checks that
    the real uid have permissions to read the specified file. Fine,  a
    suid  program  should  to  just  that.  But then it does the fatal
    thing, it checks the filename if it  has an / in from of it  - and
    if it doesnt autoreply does things the easy way. The program  just
    reads the  environment variable  $HOME to  find the  full path  of
    the file...! Have this been  done before the test of  readability,
    things would have been fine, but after... Well, autoreply  does'nt
    complain about the file, and since arepdaemon has to run as  root,
    it can read any specified file. Hance, you can do the following:

        $ cd $HOME
        $ echoh x > passwd
        $ export HOME=/.secure/etc
        $ autoreply passwd
        $ mail geiri < /dev/null

    And the file pops up in you inbox...