Re: Known Bugs in Ultrix v4.3A

[cellwood () gauss ELEE CalPoly EDU (Chris Ellwood)]

J.R. Lillard said...
> Somebody asked this before, but I saw no replies.  Are there any know 
> bugs for ULTRIX 4.3A?

Yes.  There are several.

/bin/mail has a few race conditions, mostly involving the creation of
/tmp files.  I assisted a colleague of mine in writing an exploitation
script to demonstrate the problem and it was posted to this list back
in November.  If you can't find it, I'll post it again.

Ultrix sendmail also has the "standard" vendor sendmail bugs, such as
the newline-in-queuefile bug and the return-mail-to-pipe bug, all of
which have all been discussed at great length on bugtraq and are
superficially covered in CERT Advisories CA-95:05 and CA-94:12.

The lpr subsystem also has a security hole, described in
8lgm-Advisory-3.UNIX.lpr.19-Aug-1991.

DEC currently recommends upgrading to Ultrix v4.4 and installing their
security patch kit to fix all of these problems.  The one security hole
that DEC's patch does not fix is the sendmail queuefile bug.  This bug
can only be exploited from within your system and is fixed in sendmail
8.6.1[012]  For more information on the DEC security patch kit, take a
look at CIAC Bulletin E-24, available at
http://ciac.llnl.gov/ciac/bulletins/e-24.shtml

If performing the DEC upgrade is infeasible for you, I strongly recommend
that you get rid of the Ultrix default /bin/mail and /usr/lib/sendmail
and replace them with procmail and sendmail v8.6.12.  Also, take a look
at the 8lgm fix for the lpr problem. 

If you need any more information, let me know.

- Christopher Ellwood <cellwood () gauss calpoly edu>
EL/EE Dept. System Administrator - Cal Poly - San Luis Obispo, California