I. BACKGROUND

$ more /usr/ports/mail/youbin/pkg-descr 
---- From README (slightly modified) ---

youbin is a kind of biff in the network age. When youbin is used, the
mail spool of a certain, specific machine (mail server) is observed to
inform the arrival of mail to a user at an arbitrary machine through
the network.  On the other hands, the conventional "biff" informs only
the user who logs in at the machine on which the mail spool
resides. Combining with POP, youbin eliminates a lot of NFS mount of
mail spool directory caused by checking mail arrival.

More information is available at:
http://www.agusa.nuie.nagoya-u.ac.jp/software/agusalab/youbin/youbin-e.html

II. DESCRIPTION

Insufficient bounds checking leads to execution of arbitrary code. 
perl exploit follows this document.

III. ANALYSIS

Upon setting a large value for the HOME environment variable a buffer can be
overflowed. Since youbin is setuid root this effectively allows for a full
system compromise.

Example run:
$ id
uid=1000(kokanin) gid=1000(kokanin) groups=1000(kokanin), 0(wheel)
$ perl DSR-youbin.pl 
# id
uid=0(root) gid=1000(kokanin) groups=1000(kokanin), 0(wheel)

IV. DETECTION

youbin-3.4 shipping with freebsd ports per 02/03/03, the latest available
at the time of writing, is known to be vulnerable.

V. WORKAROUND

# chmod -s `which youbin`

VI. VENDOR FIX

unknown

VII. CVE INFORMATION

unknown

VIII. DISCLOSURE TIMELINE

5/5/03 - FreeBSD port maintainer notified
5/5/03 - FreeBSD port maintainer replies, bug is known, apparently no fix
is planned at the moment
6/5/03 - public disclosure

IX. CREDIT

Knud Erik Højgaard/kokanin, dtors security research