Bugtraq mailing list archives
Re: Security Info (root broken)
From: pluvius () dragon achilles net (pluvius)
Date: Wed, 28 Sep 1994 19:13:38 -0400 (EDT)
of (thanks for nothing, security thru obscurity folks - the crackers DO have information that is denied us 'ordinary' folks). This was a new install, and it lasted about 4 days. One person heard thru the cracker grapvine that root was broken thru /bin/mail. HOW?! The permissions- fixing script from Sun had been run, plus things like arp, chill and
the bug in /bin/mail is fairly well known (not the one that sunos has a patch out for, but the one after - after the 8lgm advisory about this, there was some talk in comp.security.unix about any setuid root /bin/mail being vunerable) as well as that "Guide to securing you SunOS 4.1.3 machine" artical talked alot about that (btw: is anyone maintaining that? it's a great file) i don't think CERT or sun has an advisory or patch for it... just the ones mentioned in comp.security.unix
Can someone out there please infomrm me how these cracker types are getting root privs, and how one can stop it short of disconnecting the machine? And most important, how one can test for these vulnerabilities, and FIX them. Is there a hole in /bin/mail? How does one test for it (I am working on a port of net-2s /bin/mail replacement). Also, how can one prevent
yes there is a bug in /bin/mail - if it is setuid root (ie: used as a delivery agent) it can be exploited to gain root access. there was an advisory about this ages ago (i forget who, some guy called Joerg Czeranski wrote it i think) - his solution was to use a local delivery agent he wrote called mail.local - if you want to close this hole, chmod u-s /bin/mail, install either procmail or the mail.local (which i have yet to find anywhere, procmail is easy to find... (i forget where.. archie is your friend), and then edit your Mlocal line in /etc/sendmail.cf to be procmail instead of /bin/mail as for the bug in it... umm.. well.. i dunno.. there is one (i won't be like jsz and say 'perhaps') and it is fairly well known and exploited.
Current thread:
- Re: setuid scripts in SunOS 4.1.x, (continued)
- Re: setuid scripts in SunOS 4.1.x Fred Blonder (Sep 27)
- Re: setuid scripts in SunOS 4.1.x John Hawkinson (Sep 27)
- Re: setuid scripts in SunOS 4.1.x Valdis.Kletnieks () vt edu (Apr 17)
- Re: setuid scripts in SunOS 4.1.x jmc () gnu ai mit edu (Sep 28)
- request Michel JACQUOT (Sep 29)
- Re: setuid scripts in SunOS 4.1.x Fred Blonder (Sep 28)
- Re: setuid scripts in SunOS 4.1.x John Hawkinson (Sep 28)
- Security Info (root broken) Pat Myrto (Sep 28)
- Re: Security Info (root broken) Valdis.Kletnieks () vt edu (Apr 18)
- Re: Security Info (root broken) Perry E. Metzger (Sep 28)
- Re: Security Info (root broken) pluvius (Sep 28)
- Re: Security Info (root broken) Charles R. Hoynowski (Sep 29)
- Re: Security Info (root broken) Christopher Klaus (Sep 28)
- Re: Security Info (root broken) Pug (Sep 29)
- Re: Security Info (root broken) John Ladwig (Sep 29)
- Re: Security Info (root broken) Pug (Sep 29)
- Re: Security Info (root broken) Casper Dik (Sep 29)
- Re: Security Info (root broken) Timothy Newsham (Sep 29)
- Old sendmail bugs Michael Neuman (Sep 29)
- Re: Security Info (root broken) Karl Strickland (Sep 29)
- Re: Security Info (root broken) Christopher Klaus (Sep 29)