[2876] in bugtraq
Re: Solaris mailx hole
daemon@ATHENA.MIT.EDU (Casper Dik)
Tue Jul 2 12:06:55 1996
Date: Tue, 2 Jul 1996 10:00:57 +0200
Reply-To: Bugtraq List <BUGTRAQ@netspace.org>
From: Casper Dik <casper@holland.Sun.COM>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To: Your message of "Tue, 02 Jul 1996 01:08:49 EDT."
<Pine.SUN.3.91.960702005934.18788A-100000@bigdog.fred.net>
>It's a very very old hole in /bin/mail that allows race conditions in
>which .rhosts files can be created...
>
>I would have thought this was fixed by 2.5, but it wasn't. My boss just a
>few minutes ago exploited it on a sol2.5 machine.
Very interesting.
In Solaris 2.5,
/usr/bin/mail is set-gid mail, not set-uid root
/usr/bin/mailx is set-gid mail, not set-uid root
/usr/lib/sendmail doesn't use /bin/mail for the delivery of
mail, it uses /usr/lib/mail.local
If there's a problem I really want to get it fixed, but considering that
mail delivery uses an entirely different program in Solaris 2.5, I find
it hard to believe that the 8lgm exploit still works.
Even in Solaris 2.3 with patches all I get is bounced mail with:
mail: '/var/mail/root' must be regular or character special file with no links
or no output at all.
(this is with /bin/mail patch 101574-04 but the readme doesn't list any
security fixes)
Casper
