CVE-1999-1542
Description
RPMMail before 1.4 allows remote attackers to execute arbitrary commands via shell metacharacters in the MAIL FROM field.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
RPMMail before 1.4 allows remote attackers to execute arbitrary commands via shell metacharacters in the MAIL FROM field.
Vulnerability
RPMMail versions before 1.4, as distributed on the Red Hat 6.0 Extra Applications CD, contain a command injection vulnerability in the handling of email messages. The application fails to sanitize the "MAIL FROM" header, allowing shell metacharacters to be passed to a system() call. By default, RPMMail is installed setuid-root, and its invocation via .forward accepts email input from remote senders, making the code path reachable without prior authentication. [1], [2]
Exploitation
An attacker can send a specially crafted email to the target host, addressing it to the rpmmail user. The exploit consists of injecting shell metacharacters, such as a semicolon, into the "MAIL FROM" header. For example, a message with From: ;/usr/bin/id; triggers execution of the injected command. No special network position is required beyond the ability to send email to the server; no authentication or user interaction is needed on the target side, as the .forward mechanism automatically invokes RPMMail upon receipt of the email. [2]
Impact
Upon successful exploitation, the attacker achieves arbitrary command execution. The privilege level of the executed commands depends on the underlying shell configuration. If /bin/sh is linked to a version of bash that drops privileges (e.g., SuSE Linux 6.2), the command runs with the privileges of the rpmmail user (typically unprivileged like "nobody"). On systems where bash does not drop privileges (e.g., Debian with modified bash), or if /bin/sh is linked to another shell like bash 1.x, the setuid-root binary may retain root privileges, leading to full root compromise. Thus, the impact ranges from remote command execution as an unprivileged user to local/remote root access. [1], [2]
Mitigation
The vendor addressed this vulnerability by releasing RPMMail version 1.4, available from their FTP site as rpmmail-1.4.tar.gz or the RPM package rpmmail-1.4-2.i386.rpm. Users with version 1.3 or earlier should upgrade to version 1.4 immediately. No workarounds are documented in the available references. [1]
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.