CVE-1999-1014

Vulnerability

A buffer overflow exists in the mail command on Solaris 2.7 (and possibly 2.7 x86). The vulnerability is triggered by supplying an overly long argument to the -m option. The mail binary is setgid mail and drops privileges before the overflow occurs under normal circumstances, but the overflow still allows arbitrary command execution as the mail group. Affected versions include Solaris 2.7 on SPARC and x86 [1][2].

Exploitation

An attacker must have local access to the system and can run /usr/bin/mail -m <long_string> foo. The long string overflows a buffer, overwriting the return address. However, because mail drops its setgid privileges before the overflow, the resulting shell executes with the original user's privileges, not the mail group. A working exploit uses shellcode that calls setregid(getegid(), getegid()) to align the real and effective GID, allowing the spawned shell to retain the effective GID (mail) and thus execute with group mail privileges [1]. The exploit was demonstrated on Solaris x86 2.7.

Impact

Successful exploitation allows an attacker to execute arbitrary code with the effective GID of mail. This can lead to reading or writing mail files owned by group mail, potentially accessing other users' mail spools or interfering with mail delivery. The attacker does not gain root or full system compromise but can escalate from a standard user to the mail group and perform actions normally restricted to that group [1][2].

Mitigation

Sun Microsystems released a patch for this vulnerability. For Solaris 2.7, the recommended fix is to install the appropriate patch from Sun. As of the public disclosure date (September 1999), no workaround other than applying the vendor patch was provided. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog. Users should ensure their system is patched to the latest recommended cluster [1][2].