[25063] in bugtraq
Re: local root compromise in openbsd 3.0 and below
daemon@ATHENA.MIT.EDU (Manuel Bouyer)
Mon Apr 15 18:17:01 2002
Date: Sun, 14 Apr 2002 14:12:04 +0200
From: Manuel Bouyer <bouyer@antioche.eu.org>
To: Brett Glass <brett@lariat.org>
Cc: Przemyslaw Frasunek <venglin@freebsd.lublin.pl>, bugtraq@securityfocus.com
Message-ID: <20020414121204.GA806@antioche.eu.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4.3.2.7.2.20020412212515.00cc5ac0@nospam.lariat.org>
On Fri, Apr 12, 2002 at 09:25:54PM -0600, Brett Glass wrote:
> At 01:25 PM 4/12/2002, Manuel Bouyer wrote:
>
> >NetBSD isn't vulnerable either.
>
> What about Solaris? Its /bin/mail does not appear to have the -I
> option.
From my 2.7 install, it seems that /bin/mail desn't have any shell-escape
caracters. However /usr/ucb/mail seems to be vulnerable.
But for this to be exploited, there needs to be a /usr/ucb/mail command run
by root, using input which can be influenced in some way by non-root user.
I don't think there's any in the base distrib but could be probably found
in third-party scripts. It would be best if /usr/ucb/mail was fixed to not
accept shell escapes from non-tty inputs.
--
Manuel Bouyer <bouyer@antioche.eu.org>
--
