[3043] in bugtraq
Re: Solaris mailx hole
daemon@ATHENA.MIT.EDU (Aleph One)
Sun Aug 4 04:03:21 1996
Date: Sun, 4 Aug 1996 00:04:50 -0700
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Aleph One <aleph1@underground.org>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
From: rk@queens.netuse.de (Roland Kaltefleiter)
In netuse.lists.bugtraq you write:
>On Mon, 1 Jul 1996, Marc Mosko/jfrank/us wrote:
>> Today, someone told me that there's a security hold in Solaris 2.3's mailx
>> program. They didn't have all the details, but said that by creating a "temp"
>> file they could link to an ".rhosts" file and then rlogin as root on the target
>> machine. Somehow this involved mailx. This sound a bit like the race
>> condition hack for ps....
>>
>> On my systems (Solaris 2.3) mailx is "r-x--s--x bin mail". The machines this
>> worked on were 2.5, but as I said I don't have any real details.
>>
>> Has anyone heard of this?
>>
>> Thanks,
>> Marc Mosko
>>
>It's a very very old hole in /bin/mail that allows race conditions in
>which .rhosts files can be created...
>I would have thought this was fixed by 2.5, but it wasn't. My boss just a
>few minutes ago exploited it on a sol2.5 machine.
Hmm, whatever hi did, it was *NOT* a 2.5 from stock.
FYI:
Solaris 2.5:
$ uname -a
SunOS www 5.5 Generic_103093-02 sun4d sparc SUNW,SPARCserver-1000
$ ls -l /usr/bin/mail
-r-x--s--x 1 bin mail 66052 Oct 25 1995 /usr/bin/mail
$ ls -l /bin
lrwxrwxrwx 1 root root 9 Jun 22 21:30 /bin -> ./usr/bin
$ ls -l /usr/bin/mailx
-r-x--s--x 1 bin mail 133460 Oct 25 1995 /usr/bin/mailx
And the sendmail.cf PROTOTYPE tells you:
Mlocal, P=/usr/lib/mail.local, F=flsSDFMmnP, S=10, R=20, A=mail.local -d $u
$ ls -l /usr/lib/mail.local
-r-xr-xr-x 1 bin bin 12396 Oct 25 1995 /usr/lib/mail.local
So whaterver you did, you did misconfigure your Solaris 2.5.
I assume, you did took over you sendmail.cf, and when sendmail runs as root,
it starts the localmailer as root. /usr/bin/mail HAS NOT BEED MADE for that.
You will even hack sendmail 8.7.5 that way.
So update your sendmail.cf :-)
>*sigh*
So how do you want to get root access with a set-gid - mail Program ?
Roland
