Bugtraq mailing list archives

Re: Security Info (root broken)

From: karl () bagpuss demon co uk (Karl Strickland)
Date: Thu, 29 Sep 1994 21:11:18 +0100 (BST)

On Thu, 29 Sep 1994 07:04:44 -0600 (CDT), Pug <pug () arlut utexas edu> said:

    >> This was a new
    >> install, and it lasted about 4 days.   One person heard thru the cracker
    >> grapvine that root was broken thru /bin/mail.
    P> Did you happen to install the following, in particular 101436-02?
    P> Solaris 1.1.1 Patches Containing Security Fixes:
    P> ------------------------------------------------
    P> 101436-02   SunOS 4.1.3_U1: bin/mail jumbo patch
This is the patch which made the race condition *easier* to exploit
than it was in the unpatched version.


As I remember the race condition, you don't have a problem if you don't
allow the 'r' commands into your system. The race condition created a


Sorry, this is bollocks.  Its nothing to do with 'r' commands - it just
happened that the exploit script used .rhosts & rsh or whatever to
demonstrate the problem.  The problem is that files can be created/modified
anywhere in the filesystem.  If you want more info, grab the original
advisories from the fileserver.  Heres the info:


             ANNOUNCING THE [8LGM] FILESERVER & MAILING LIST INFO

FILESERVER:

        After getting flooded with requests for advisories, we've setup
        a fileserver to try and make things a bit easier.  Unfortunately,
        we're not currently in a position to be able to offer or maintain
        an FTP site.  (Thanks to those who offered us some space on their
        systems though!)

        To access the fileserver, send a message to
                                8lgm-fileserver () bagpuss demon co uk

        Eg:

                $ echo help | mail 8lgm-fileserver () bagpuss demon co uk

        The help file is included at the end of this message.  We
        anticipate a large number of mails to this server, hence its
        mail is being processed on another mailqueue, which will be
        flushed when the load on the system is low.  (bagpuss.demon.co.uk
        is just a PC - albeit a wonderful one - with an already heavy
        load).  Replies will often take 24 hours, and sometimes up to 48
        hours, but this will still be quicker than we were able to reply
        to the requests by hand.

        People asking for ../../../../../../../../etc/passwd will be
        frowned upon :-)

MAILING LIST:

        A reminder for those not on our mailing list.  The mailing list
        is only used for mailing advisories, there is no 'junk mail'
        (except this one :-)).  To get on it, send mail to:

                8lgm-request () bagpuss demon co uk

        Mail to this address is processed automatically, and you wont
        usually get a reply - but wherever you mail from *will* be added
        to the list.

        If you need an address adding to the list which you cannot mail
        from, send mail to 8lgm () bagpuss demon co uk, and we'll add it
        manually.

-----------------------------------------------------------------------------
Here is the help file from the server:

The [8lgm]-Fileserver recognises the following commands:

HELP                            (gets you this file)
LIST                            (lists files available)
SEND filename                   (sends filename)
QUIT

Commands must be sent in the message body to
    8lgm-fileserver () bagpuss demon co uk

(Commands sent in the Subject: line are ignored).

Multiple commands can be sent in one message.
The * wildcard is understood in filename.

A typical request might be:

list
send *
quit

If you have any problems, please mail to 8lgm () bagpuss demon co uk.

------------------------------------------------------------------------------
A list of files currently available:

        [8lgm]-Advisory-1.UNIX.rdist.23-Apr-1991
        [8lgm]-Advisory-2.UNIX.autoreply.12-Jul-1991
        [8lgm]-Advisory-3.UNIX.lpr.19-Aug-1991
        [8lgm]-Advisory-4.UNIX.gopher.12-Feb-1992
        [8lgm]-Advisory-5.UNIX.mail.24-Jan-1992
        [8lgm]-Advisory-5.UNIX.mail.24-Jan-1992.PATCH
        [8lgm]-Advisory-6.UNIX.mail2.2-May-1994
        [8lgm]-Advisory-7.UNIX.passwd.11-May-1994
        [8lgm]-Advisory-7.UNIX.passwd.11-May-1994.NEWFIX
        [8lgm]-Advisory-Introduction

Current thread:

Re: Security Info (root broken), (continued)
- - - Re: Security Info (root broken) Perry E. Metzger (Sep 28)
    - Re: Security Info (root broken) pluvius (Sep 28)
    - Re: Security Info (root broken) Charles R. Hoynowski (Sep 29)
    - Re: Security Info (root broken) Christopher Klaus (Sep 28)
    - Re: Security Info (root broken) Pug (Sep 29)
    - Re: Security Info (root broken) John Ladwig (Sep 29)
    - Re: Security Info (root broken) Pug (Sep 29)
    - Re: Security Info (root broken) Casper Dik (Sep 29)
    - Re: Security Info (root broken) Timothy Newsham (Sep 29)
    - Old sendmail bugs Michael Neuman (Sep 29)
    - Re: Security Info (root broken) Karl Strickland (Sep 29)
    - Re: Security Info (root broken) Christopher Klaus (Sep 29)
    - Re: Security Info (root broken) Pug (Sep 29)
    - Re: Security Info (root broken) Pug (Sep 29)
    - Re: Security Info (root broken) Neil Woods (Sep 29)
    - IBM AIX rlogin fix jim () Tadpole COM (Sep 28)
    - security problem w/ smail james w abendschan (Sep 27)
- Re: setuid scripts in SunOS 4.1.x *Hobbit* (Sep 25)