Re: Security Info (root broken)

[cklaus () shadow net (Christopher Klaus)]

> I need some answers, badly.
>
> The OS was SunOS 4.1.3_U1B.  The machine was a 4/470.
>
> A site I was helping on was broken in and maliciously destroyed the
> other day (rendered un-login-able), apparantly via a hole I am unaware
> of (thanks for nothing, security thru obscurity folks - the crackers DO
> have information that is denied us 'ordinary' folks).  This was a new
> install, and it lasted about 4 days.   One person heard thru the cracker
> grapvine that root was broken thru /bin/mail.  HOW?!  The permissions-
> fixing script from Sun had been run, plus things like arp, chill and
> rdist were made unavailable to users (chmod o-rx).  Rdist was replaced
> by the fixed version and made unavailable for use to users (chmod o-rx).
> The original passwd command was made mode 400, as well as yppasswd, and
> a replacement passwd command was installed that didn't have the -F
> option, or the chfn or chsh options.  The C2conv script had also been
> run.  Sendmail was replaced by the newest version with all the fixes,
> and bind 4.9.2 replaced the original nameserver, as well as its resolver
> library.  All programs replaced were renamed and made mode 400, owner
> root.  Newsyslog was also chown'd to root, and the chmod 666 $LOG was
> changed to 644.  /etc/utmp was also changed to mode 644.  Without better
> info, all the above work was a total waste of time.
>
> Can someone out there please infomrm me how these cracker types are getting
> root privs, and how one can stop it short of disconnecting the machine?
> And most important, how one can test for these vulnerabilities, and FIX
> them.  Is there a hole in /bin/mail?  How does one test for it (I am working
> on a port of net-2s /bin/mail replacement).  Also, how can one prevent
> anyone from being able to forge mail via the -f option?

8lgm posted a /bin/mail script that showed a vulnerability on Usenet and Sun
responded a few weeks later with a patch.  8lgm showed with another script
that their patch had not fixed the problem, but had made it worse.  I do
not believe Sun has since released another patch to fix the problem. 
This was like 3 months ago or more.  So, maybe Sun has released a new patch
for bin/mail, but I have been subscribed to sun's security patch mailing
list and have not seen anything regarding a fix. 


-- 
Christopher William Klaus  <cklaus () shadow net>  <iss () shadow net>
Internet Security Systems, Inc.         Computer Security Consulting
2209 Summit Place Drive,              Penetration Analysis of Networks
Atlanta,GA 30350-2430. (404)518-0099. Fax: (404)518-0030