Bugtraq mailing list archives
Re: Solaris mailx hole
From: jfbuergler () ztl ch (Josef Buergler)
Date: Tue, 2 Jul 1996 19:04:45 +0200
Casper wrote: -------------------- begin included message --------------------------- Very interesting. In Solaris 2.5, /usr/bin/mail is set-gid mail, not set-uid root /usr/bin/mailx is set-gid mail, not set-uid root /usr/lib/sendmail doesn't use /bin/mail for the delivery of mail, it uses /usr/lib/mail.local If there's a problem I really want to get it fixed, but considering that mail delivery uses an entirely different program in Solaris 2.5, I find it hard to believe that the 8lgm exploit still works. Even in Solaris 2.3 with patches all I get is bounced mail with: mail: '/var/mail/root' must be regular or character special file with no links or no output at all. (this is with /bin/mail patch 101574-04 but the readme doesn't list any security fixes) ------------------- end included message ----------------------------- I can confirm what Casper says. I tried to exploit the hole on my system running Solaris2.5 with the recomended patches Patch: 103468-01 Obsoletes: Packages: SUNWcsu Patch: 103279-01 Obsoletes: Packages: SUNWcsu, SUNWcsr Patch: 102980-04 Obsoletes: Packages: SUNWcsu, SUNWcsr Patch: 103093-03 Obsoletes: Packages: SUNWcsr, SUNWcar Patch: 102832-01 Obsoletes: Packages: SUNWolrte, SUNWolslb Patch: 103300-02 Obsoletes: Packages: SUNWoldst Patch: 102971-01 Obsoletes: Packages: SUNWscpu (including the security patch not included in the recommended patches)! I was not able to exploit the hole on this system! Just my 0.02$ ^ _ ~~~~~~~^^^^^^^^^^^^^^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ^ / V | Dr. Josef F. Buergler Phone : +41 41 349 3351 / V | ZTL, Ingenieurschule HTL Fax: +41 41 349 3960 / ZTL | Technikumstr E-mail: JFBuergler () ztl ch |~~~~~~~ CH-6048 HORW www: http://www.ztl.ch/personell/jfb.html PGP fingerprint: E2 69 28 2A 2D 64 6E D4 60 01 AA 01 10 67 50 26
Current thread:
- CD4300 series BUG, (continued)
- CD4300 series BUG DANIEL .D .EZEKIEL (Jul 02)
- Re: BoS: Re: Solaris mailx hole Travis Hassloch x231 (Jul 02)
- Re: Solaris mailx hole Dave Roberts (Jul 03)
- Re: Solaris mailx hole Andy Dills (Jul 03)
- [8lgm]-Advisory-26.UNIX.rdist.20-3-1996 [Forwarded e-mail from Jeff Uphoff (Jul 03)
- BoS: *** SECURITY ALERT *** (fwd) Michael Brennen (Jul 03)
- BoS: *** SECURITY ALERT *** (fwd) Mark_W_Loveless () smtp bnr com (Jul 04)
- IIS bug test Paolo Taraboi (Jul 04)
- IMAPD security problems ? Zvi Bar-Deroma (Jul 04)
- Re: IMAPD security problems ? Ian MacPhedran (Jul 04)
- Re: Solaris mailx hole Josef Buergler (Jul 02)
- Re: Solaris mailx hole Rick Otten (Jul 03)