Re: Solaris mailx hole

[jfbuergler () ztl ch (Josef Buergler)]

Casper wrote:
-------------------- begin included message ---------------------------
Very interesting.

In Solaris 2.5,

        /usr/bin/mail is set-gid mail, not set-uid root
        /usr/bin/mailx is set-gid mail, not set-uid root
        /usr/lib/sendmail doesn't use /bin/mail for the delivery of
        mail, it uses /usr/lib/mail.local

If there's a problem I really want to get it fixed, but considering that
mail delivery uses an entirely different program in Solaris 2.5, I find
it hard to believe that the 8lgm exploit still works.

Even in Solaris 2.3 with patches all I get is bounced mail with:

mail: '/var/mail/root' must be regular or character special file with no links

or no output at all.

(this is with /bin/mail patch 101574-04 but the readme doesn't list any
security fixes)
------------------- end included message -----------------------------

I can confirm what Casper says. I tried to exploit the hole on my system
running Solaris2.5 with the recomended patches

Patch: 103468-01  Obsoletes:   Packages: SUNWcsu
Patch: 103279-01  Obsoletes:   Packages: SUNWcsu, SUNWcsr
Patch: 102980-04  Obsoletes:   Packages: SUNWcsu, SUNWcsr
Patch: 103093-03  Obsoletes:   Packages: SUNWcsr, SUNWcar
Patch: 102832-01  Obsoletes:   Packages: SUNWolrte, SUNWolslb
Patch: 103300-02  Obsoletes:   Packages: SUNWoldst
Patch: 102971-01  Obsoletes:   Packages: SUNWscpu

(including the security patch not included in the recommended patches)!

          I was not able to exploit the hole on this system!

Just my 0.02$

     ^ _ ~~~~~~~^^^^^^^^^^^^^^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  ^ / V | Dr. Josef F. Buergler                Phone :   +41 41 349 3351
 / V    | ZTL, Ingenieurschule HTL             Fax:      +41 41 349 3960
/  ZTL  | Technikumstr                         E-mail: JFBuergler () ztl ch
|~~~~~~~  CH-6048 HORW        www:  http://www.ztl.ch/personell/jfb.html
PGP fingerprint:        E2 69 28 2A 2D 64 6E D4  60 01 AA 01 10 67 50 26