Bugtraq mailing list archives
Re: local root compromise in openbsd 3.0 and below
From: Manuel Bouyer <bouyer () antioche eu org>
Date: Sun, 14 Apr 2002 14:12:04 +0200
On Fri, Apr 12, 2002 at 09:25:54PM -0600, Brett Glass wrote:
At 01:25 PM 4/12/2002, Manuel Bouyer wrote:NetBSD isn't vulnerable either.What about Solaris? Its /bin/mail does not appear to have the -I option.
From my 2.7 install, it seems that /bin/mail desn't have any shell-escape
caracters. However /usr/ucb/mail seems to be vulnerable. But for this to be exploited, there needs to be a /usr/ucb/mail command run by root, using input which can be influenced in some way by non-root user. I don't think there's any in the base distrib but could be probably found in third-party scripts. It would be best if /usr/ucb/mail was fixed to not accept shell escapes from non-tty inputs. -- Manuel Bouyer <bouyer () antioche eu org> --
Current thread:
- local root compromise in openbsd 3.0 and below Przemyslaw Frasunek (Apr 11)
- Re: local root compromise in openbsd 3.0 and below Solar Designer (Apr 11)
- Re: local root compromise in openbsd 3.0 and below Manuel Bouyer (Apr 12)
- Re: local root compromise in openbsd 3.0 and below Brett Glass (Apr 15)
- Re: local root compromise in openbsd 3.0 and below Manuel Bouyer (Apr 15)
- Re: local root compromise in openbsd 3.0 and below Brett Glass (Apr 15)