CVE-1999-0841

Vulnerability

A buffer overflow vulnerability exists in the mailtool utility within the Common Desktop Environment (CDE) on Solaris 7. This vulnerability is triggered when mailtool processes an email with a long MIME Content-Type field, such as Content-Type: image/aaaaaaaa...; name="test.gif". The mailtool binary is installed with the setgid bit set to the mail group, allowing members of this group to read and write any user's mailbox [1].

Exploitation

A local attacker can exploit this vulnerability by sending a specially crafted email to a user on the vulnerable system. When the victim user opens or selects this email within mailtool, the overflow occurs. The attacker needs to craft shellcode that, when executed, grants them root privileges. The exploit requires the attacker to be able to send mail to a user on the system and for that user to interact with the malicious email using mailtool [1].

Impact

Successful exploitation of this vulnerability allows a local attacker to gain root privileges on the affected Solaris 7 system. Additionally, the vulnerability can lead to a compromise of local email data, as mail files are typically set with permissions allowing read and write access for members of the mail group [1].

Mitigation

As of November 30, 1999, Solaris 7 was the only known vulnerable platform. Information regarding a specific patch or fixed version is not available in the provided references. Users are advised to consult vendor advisories for the latest information on mitigation strategies and available patches [1].