Bugtraq mailing list archives
Comments on SunOS /bin/mail patch
From: cellwood () gauss ELEE CalPoly EDU (Chris Ellwood)
Date: Sat, 26 Nov 1994 02:26:50 -0800
I noticed that there hasn't been much discussion on Sun's recently released SunOS v4.1.3 /bin/mail patch (patch# 101436-08), especially in regard to if it fixes any of the three big security holes in /bin/mail, which past Sun patches have failed to do (See 8lgm-Advisory-6.UNIX.mail2.2-May-1994). After doing some analysis with trace(1) and experimenting with some exploit scripts, it seems that this patch indeed does fix at least one, if not all three of the race conditions holes in /bin/mail. This new patch seems to prevent the old problem of being able to write to any existing file by exploiting a race condition with the creation of the temp file. None of the exploit scripts developed to exploit this race condition work on the patched version, and careful analysis with trace(1) reveals that this is due to a much improved method of opening temp files. It also seems to handle mailbox lock files correctly, so I would hope this fixes the mailbox lock file race condition as well, though I have not tested the lock file race condition yet. Upon cursory analysis, it also seems to have fixed the much publicized /usr/spool/mail mailbox race condition. Perhaps the 8lgm security team could fill us in on that, in light of their excellent analysis of the problems with past Sun patches to fix this particular race condition. I was going to include a sample trace output to show how Sun fixed the problems (so people can point out potential flaws), but since that would possibly violate the Sun licensing agreement, I won't. Needless to say the new Sun code seems to do open's and fstat's correctly to prevent race conditions, but don't take my word for it. Obtain your own copy and see for yourself. Again, my analysis is no where near complete or that of an expert, so I welcome any and all comments on this. Regards, - Christopher Ellwood <cellwood () gauss calpoly edu> EL/EE Dept. System Administrator - Cal Poly, San Luis Obispo, California
Current thread:
- Comments on SunOS /bin/mail patch Chris Ellwood (Nov 26)