Bugtraq mailing list archives

Re: Security Info (root broken)

From: pluvius () dragon achilles net (pluvius)
Date: Wed, 28 Sep 1994 19:13:38 -0400 (EDT)

of (thanks for nothing, security thru obscurity folks - the crackers DO
have information that is denied us 'ordinary' folks).  This was a new
install, and it lasted about 4 days.   One person heard thru the cracker
grapvine that root was broken thru /bin/mail.  HOW?!  The permissions-
fixing script from Sun had been run, plus things like arp, chill and


the bug in /bin/mail is fairly well known (not the one that sunos has a 
patch out for, but the one after - after the 8lgm advisory about this, 
there was some talk in comp.security.unix about any setuid root /bin/mail 
being vunerable) as well as that "Guide to securing you SunOS 4.1.3 
machine" artical talked alot about that (btw: is anyone maintaining that? 
it's a great file) i don't think CERT or sun has an advisory or patch for 
it... just the ones mentioned in comp.security.unix


Can someone out there please infomrm me how these cracker types are getting
root privs, and how one can stop it short of disconnecting the machine?
And most important, how one can test for these vulnerabilities, and FIX
them.  Is there a hole in /bin/mail?  How does one test for it (I am working
on a port of net-2s /bin/mail replacement).  Also, how can one prevent


yes there is a bug in /bin/mail - if it is setuid root (ie: used as a 
delivery agent) it can be exploited to gain root access. there was an 
advisory about this ages ago (i forget who, some guy called Joerg 
Czeranski wrote it i think) - his solution was to use a local delivery 
agent he wrote called mail.local - if you want to close this hole, chmod 
u-s /bin/mail, install either procmail or the mail.local (which i have 
yet to find anywhere, procmail is easy to find... (i forget where.. 
archie is your friend), and then edit your Mlocal line in 
/etc/sendmail.cf to be procmail instead of /bin/mail

as for the bug in it... umm.. well.. i dunno.. there is one (i won't be 
like jsz and say 'perhaps') and it is fairly well known and exploited.

Current thread:

Re: setuid scripts in SunOS 4.1.x, (continued)
- - - Re: setuid scripts in SunOS 4.1.x Fred Blonder (Sep 27)
    - Re: setuid scripts in SunOS 4.1.x John Hawkinson (Sep 27)
    - Re: setuid scripts in SunOS 4.1.x Valdis.Kletnieks () vt edu (Apr 17)
    - Re: setuid scripts in SunOS 4.1.x jmc () gnu ai mit edu (Sep 28)
    - request Michel JACQUOT (Sep 29)
    - Re: setuid scripts in SunOS 4.1.x Fred Blonder (Sep 28)
    - Re: setuid scripts in SunOS 4.1.x John Hawkinson (Sep 28)
    - Security Info (root broken) Pat Myrto (Sep 28)
    - Re: Security Info (root broken) Valdis.Kletnieks () vt edu (Apr 18)
    - Re: Security Info (root broken) Perry E. Metzger (Sep 28)
    - Re: Security Info (root broken) pluvius (Sep 28)
    - Re: Security Info (root broken) Charles R. Hoynowski (Sep 29)
    - Re: Security Info (root broken) Christopher Klaus (Sep 28)
    - Re: Security Info (root broken) Pug (Sep 29)
    - Re: Security Info (root broken) John Ladwig (Sep 29)
    - Re: Security Info (root broken) Pug (Sep 29)
    - Re: Security Info (root broken) Casper Dik (Sep 29)
    - Re: Security Info (root broken) Timothy Newsham (Sep 29)
    - Old sendmail bugs Michael Neuman (Sep 29)
    - Re: Security Info (root broken) Karl Strickland (Sep 29)
    - Re: Security Info (root broken) Christopher Klaus (Sep 29)

(Thread continues...)