Re: Solaris mailx hole

[andy () bigdog fred net (Andy Dills)]

On Tue, 2 Jul 1996, Casper Dik wrote:

> > It's a very very old hole in /bin/mail that allows race conditions in
> > which .rhosts files can be created...
> >
> > I would have thought this was fixed by 2.5, but it wasn't. My boss just a
> > few minutes ago exploited it on a sol2.5 machine.
>
>
> Very interesting.
>
> In Solaris 2.5,
>
>         /usr/bin/mail is set-gid mail, not set-uid root
>         /usr/bin/mailx is set-gid mail, not set-uid root
>         /usr/lib/sendmail doesn't use /bin/mail for the delivery of
>         mail, it uses /usr/lib/mail.local
>
>
> If there's a problem I really want to get it fixed, but considering that
> mail delivery uses an entirely different program in Solaris 2.5, I find
> it hard to believe that the 8lgm exploit still works.
>
> Even in Solaris 2.3 with patches all I get is bounced mail with:
>
> mail: '/var/mail/root' must be regular or character special file with no links
>
> or no output at all.
>
> (this is with /bin/mail patch 101574-04 but the readme doesn't list any
> security fixes)

Hmm...It must have been fixed then. I wonder why that isn't in the
massive solaris2.5 patch.

(As an update, I did get the script to create a /.rhosts file, owned by
root, linked to /var/mail/root, but for some reason it would stay 0
length.)

Andy

> Casper



              -----/'[/'[/'[Andy Dills]'\]'\]'\-----
 "Founding member of the Frednet.Support"   Phear the big BEAVIS!
"_THIS_ is my BOOM stick!!!!"  --   That Guy from Army of Darkness
 Work:andy () fred net---------->(BOFH)<--------Play:andy () beavis net
        All things BSDish. If it's not BSDish, it's CRAP!
                Andy's Made Up Quote of The Week:
      "To understand solaris2.5, one must suffer and RTFM."