Proof of Concept - Security Advisory                        02/15/99
http://poc.csoft.net                                     Released by
poc@csoft.net                                    sw3wn@poc.csoft.net

---

Affected Program        mail.local (Berkeley Sendmail)
Description             Local mailer (forward mail to mailboxes)
Severity                Mailbox compromise


Synopsis:

mail.local is a small program distributed with Berkeley Sendmail,
used as a local mailer (forwards mail to mailboxes), also able to
handle LMTP commands.  It runs SUID root in order to access the
users's mailbox (ie. /var/spool/mail, /usr/spool/mail).

Overview:

When mail has to be written to a user's mailbox locally, a local
mailer is used; the mail.local program that comes with Sendmail
does this task, but does not restrict the length of a message, or
does not check the authenticity of the user who sends it.

This is obviously not a big security issue - but still, it has to
get fixed, as this could lead to more serious problem if used
on a system with lots of e-mail accounts.

Problem:

This can lead to the compromising of anybody's mailbox - from fake
(and totally untraceable messages), to flooding the mailbox (and
maybe the hard drive).  I found this by inspecting the source code for
buffer overflows heh.

Say I wanted to send a fake message like it was coming from root
to user joe, simply running
   mail.local -f root joe
   <message+eof>
could do it.  mail.local simply dumps the message as you enter
it in the user's maibox.

Since mail.local does not checks for message length, you can
flood a mailbox (and possibly the hard drive) in a matter of seconds.

Finally, mail.local only check if a user exists by using /etc/passwd,
that means anybody could create mailboxes for users like bin, nobody,
etc (usually it's no security compromise).

Examples:
 [http://poc.csoft.net/advs/mail.local/mailfrm.tar.gz]
 [http://poc.csoft.net/advs/mail.local/junk.tar.gz]

Patch/Fix:
 [http://poc.csoft.net/advs/mail.local/mail.local.diff]

Status:

I contacted the authors about this, since this is not a big security
concern for most people it's not a hurry =p.  I made a quick-and-dirty
patch that logs attempt to send messages bigger than X to syslog (you
really should adapt it to your system if you want to use it).
I really had nothing to do today.

.sw3

