|
|
| |
| Program /usr/bin/mail is a simple mail user agent which can be used also in the batch mode, for example to send mail to the administrator when running cron tasks. There is a local root compromise in all versions of OpenBSD including OpenBSD Current prior to April 9, 2002 due to a bug in program /usr/bin/mail. |
| |
Credit:
The information has been provided by Milos Urbanek and Dries Schellekens.
|
| |
The program /usr/bin/mail accepts escape sequences while running in the non-interactive mode. When an attacker inserts an escape sequence into the stream that is used as an input to the mail command this escape sequence is interpreted by the mail command this in turn will allow execution of arbitrary commands or read/write any file in the system with the privileges of the user running /usr/bin/mail.
Impact:
Users can gain superuser privileges because the output of the /etc/daily script is piped to the /usr/bin/mail command while running regular cron tasks. There exists a method developed by Przemyslav Frasunek that allows performing a local attack by creating a file with a specially designed filename and permissions. Method of performing remote exploitation of this bug is currently unknown.
Contact Status:
Vendor was contacted on 2002-04-08. Problem report related to the security advisory was sent on 2002-04-10. A security patch has been made available.
Available Fixes:
A patch is available at: http://www.openbsd.org/errata29.html
|
|
|
