|
There is a security hole in Red Hat 2.1, which installs /usr/bin/mh/inc and /usr/bin/mh/msgchk suid root. These programs are configured suid root in order to bind to a privileged port for rpop authentication. However, there is a non-security conflict between mh and the default Red Hat 2.1 configuration in that the /etc/services lists pop-2 and pop-3 services, but the mh utilities do lookups for a pop service, which doesn't exist, resulting in an inability to use any of the pop functionality. This may be a fortunate bug, since there may be more serious security holes within the pop functions of these two program. The security hole present in these two programs is that when opening up the configuration files in the user's home directory, root privileges are maintained, and symbolic links are followed. This allows an arbitrary file to to be opened. Fortunately, the program does not simply dump the contents of this file anywhere, and only certain formatting is allowed in the file to be processed by the program in order to see any output. In the cases where it will be processed, only the first line of the file will actually be output to the user. Program: /usr/bin/mh/inc, /usr/bin/mh/msgchk Affected Operating Systems: RedHat 2.1 linux distribution Requirements: account on system Patch: chmod -s /usr/bin/mh/inc /usr/bin/mh/msgchk Security Compromise: read 1st line of some arbitrary files Author: Dave M. (davem@cmu.edu) Synopsis: inc & msgchk fail to check file permissions before opening user configuration files in the user's home directory, allowing a user on the system to read the first line of any file on the system with some limitations. Exploit: $ ln -s FILE_TO_READ ~/.mh_profile $ /usr/bin/mh/msgchk