[2883] in bugtraq
Re: Solaris mailx hole
daemon@ATHENA.MIT.EDU (Andy Dills)
Wed Jul 3 13:26:48 1996
Date: Wed, 3 Jul 1996 13:11:07 -0400
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Andy Dills <andy@bigdog.fred.net>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <Pine.A32.3.91.960703122947.35128A-100000@haddock.saa-cons.co.uk>
On Wed, 3 Jul 1996, Dave Roberts wrote:
> On Tue, 2 Jul 1996, Andy Dills wrote:
>
> > It's a very very old hole in /bin/mail that allows race conditions in
> > which .rhosts files can be created...
> >
> > I would have thought this was fixed by 2.5, but it wasn't. My boss just a
> > few minutes ago exploited it on a sol2.5 machine.
>
> Hmmm, dunno how he did that. I have 2.5 on an UltraServer1, I haven't
> even got round to installing any patches yet - it's straight off the CD
> (HW 1/96 edition), and the script didn't work at all.
>
> I tried it about 10 times, and failed to win the race condition every
> time, the user targeted just received the mail.
Yeah, I let it run all night and even ran some programs to help "cheat"
the race condition, but all it would ever do is write the file and link
it, it would never make the file non 0 length.
When I first mailed about it, I just saw the output and didn't bother to
check into that far.
Andy
> Dave Roberts | "Surfing the Internet" is a sad term for sad people.
> Unix Systems Admin | Get a board, find a beach, surf some REAL waves and
> SAA Consultants Ltd | get a *real* life.
> Plymouth, U.K. | -=[For PGP Key, send mail with subject of "get pgp"]=-
>
-----/'[/'[/'[Andy Dills]'\]'\]'\-----
"Founding member of the Frednet.Support" Phear the big BEAVIS!
"_THIS_ is my BOOM stick!!!!" -- That Guy from Army of Darkness
Work:andy@fred.net---------->(BOFH)<--------Play:andy@beavis.net
All things BSDish. If it's not BSDish, it's CRAP!
Andy's Made Up Quote of The Week:
"To understand solaris2.5, one must suffer and RTFM."
