COMMAND

    autoreply(1)

SYSTEMS AFFECTED

    Any system with  a standard installation  of The Elm  Mail System.
    All versions are believed to have this vulnerability.

PROBLEM

    Autoreply takes  a filename  as an  argument. Then  it checks that
    the real uid have permissions to read the specified file. Fine,  a
    suid  program  should  to  just  that.  But then it does the fatal
    thing, it checks the filename if it  has an / in front of it  - and
    if it doesn't autoreply does things the easy way. The program  just
    reads the  environment variable  $HOME to  find the  full path  of
    the file...! Had this been done before the test of readability,
    things would have been fine, but after... Well, autoreply  doesn't
    complain about the file, and since arepdaemon has to run as root,
    it can read any specified file. Hance, you can do the following:

        $ cd $HOME
        $ echoh x > passwd
        $ export HOME=/.secure/etc
        $ autoreply passwd
        $ mail geiri < /dev/null

    And the file pops up in you inbox...