[2879] in bugtraq
Re: Solaris mailx hole
daemon@ATHENA.MIT.EDU (Andy Dills)
Tue Jul 2 16:49:55 1996
Date: Tue, 2 Jul 1996 16:21:14 -0400
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Andy Dills <andy@bigdog.fred.net>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <9607020800.AA12859@albano>
On Tue, 2 Jul 1996, Casper Dik wrote:
> >It's a very very old hole in /bin/mail that allows race conditions in
> >which .rhosts files can be created...
> >
> >I would have thought this was fixed by 2.5, but it wasn't. My boss just a
> >few minutes ago exploited it on a sol2.5 machine.
>
>
> Very interesting.
>
> In Solaris 2.5,
>
> /usr/bin/mail is set-gid mail, not set-uid root
> /usr/bin/mailx is set-gid mail, not set-uid root
> /usr/lib/sendmail doesn't use /bin/mail for the delivery of
> mail, it uses /usr/lib/mail.local
>
>
> If there's a problem I really want to get it fixed, but considering that
> mail delivery uses an entirely different program in Solaris 2.5, I find
> it hard to believe that the 8lgm exploit still works.
>
> Even in Solaris 2.3 with patches all I get is bounced mail with:
>
> mail: '/var/mail/root' must be regular or character special file with no links
>
> or no output at all.
>
> (this is with /bin/mail patch 101574-04 but the readme doesn't list any
> security fixes)
Hmm...It must have been fixed then. I wonder why that isn't in the
massive solaris2.5 patch.
(As an update, I did get the script to create a /.rhosts file, owned by
root, linked to /var/mail/root, but for some reason it would stay 0
length.)
Andy
>
> Casper
>
-----/'[/'[/'[Andy Dills]'\]'\]'\-----
"Founding member of the Frednet.Support" Phear the big BEAVIS!
"_THIS_ is my BOOM stick!!!!" -- That Guy from Army of Darkness
Work:andy@fred.net---------->(BOFH)<--------Play:andy@beavis.net
All things BSDish. If it's not BSDish, it's CRAP!
Andy's Made Up Quote of The Week:
"To understand solaris2.5, one must suffer and RTFM."
