Bugtraq mailing list archives
Re: Solaris mailx hole
From: andy () bigdog fred net (Andy Dills)
Date: Tue, 2 Jul 1996 16:21:14 -0400
On Tue, 2 Jul 1996, Casper Dik wrote:
It's a very very old hole in /bin/mail that allows race conditions in which .rhosts files can be created... I would have thought this was fixed by 2.5, but it wasn't. My boss just a few minutes ago exploited it on a sol2.5 machine.Very interesting. In Solaris 2.5, /usr/bin/mail is set-gid mail, not set-uid root /usr/bin/mailx is set-gid mail, not set-uid root /usr/lib/sendmail doesn't use /bin/mail for the delivery of mail, it uses /usr/lib/mail.local If there's a problem I really want to get it fixed, but considering that mail delivery uses an entirely different program in Solaris 2.5, I find it hard to believe that the 8lgm exploit still works. Even in Solaris 2.3 with patches all I get is bounced mail with: mail: '/var/mail/root' must be regular or character special file with no links or no output at all. (this is with /bin/mail patch 101574-04 but the readme doesn't list any security fixes)
Hmm...It must have been fixed then. I wonder why that isn't in the massive solaris2.5 patch. (As an update, I did get the script to create a /.rhosts file, owned by root, linked to /var/mail/root, but for some reason it would stay 0 length.) Andy
Casper
-----/'[/'[/'[Andy Dills]'\]'\]'\----- "Founding member of the Frednet.Support" Phear the big BEAVIS! "_THIS_ is my BOOM stick!!!!" -- That Guy from Army of Darkness Work:andy () fred net---------->(BOFH)<--------Play:andy () beavis net All things BSDish. If it's not BSDish, it's CRAP! Andy's Made Up Quote of The Week: "To understand solaris2.5, one must suffer and RTFM."
Current thread:
- Solaris mailx hole Marc Mosko/jfrank/us (Jun 30)
- Re: Solaris mailx hole Andy Dills (Jul 01)
- Re: Solaris mailx hole Casper Dik (Jul 02)
- Re: Solaris mailx hole Andy Dills (Jul 02)
- CD4300 series BUG DANIEL .D .EZEKIEL (Jul 02)
- Re: BoS: Re: Solaris mailx hole Travis Hassloch x231 (Jul 02)
- Re: Solaris mailx hole Dave Roberts (Jul 03)
- Re: Solaris mailx hole Andy Dills (Jul 03)
- [8lgm]-Advisory-26.UNIX.rdist.20-3-1996 [Forwarded e-mail from Jeff Uphoff (Jul 03)
- BoS: *** SECURITY ALERT *** (fwd) Michael Brennen (Jul 03)
- BoS: *** SECURITY ALERT *** (fwd) Mark_W_Loveless () smtp bnr com (Jul 04)
- IIS bug test Paolo Taraboi (Jul 04)
- IMAPD security problems ? Zvi Bar-Deroma (Jul 04)
- Re: IMAPD security problems ? Ian MacPhedran (Jul 04)
- Re: Solaris mailx hole Casper Dik (Jul 02)
- Re: Solaris mailx hole Andy Dills (Jul 01)