Re: Security Info (root broken)

[Mark.Graff () Corp Sun COM ( Mark Graff )]

Several people have asked about the status of Sun's /bin/mail patches.

The quick status is that we will be issuing another patch within the
next few days. It fixes the problems pointed out in the two postings
from 8LGM and one or two others that were uncovered in the course of
testing. This version has been extensively tested; and the last external
tester reported success just this morning. Now all that remains is to
package, release, and announce it. 

I think the original poster also wanted to know how to get information
about security patches from Sun. The answer there, if you are seeking
official information, is either to use the Answer Centers or
security-alert () sun com (which I maintain).

Mark Graff

p.s. Followups to security-alert () sun com, not me personally, please. The
"official" alias is better attended and is read even when I am out of
comm.
 

 From bugtraq-owner () fc net  Wed Sep 28 19:27:22 1994
 Date: Wed, 28 Sep 1994 19:13:38 -0400 (EDT)
 To: Pat Myrto <rwing!pat () ole cdac com>
 Cc: bugtraq () crimelab com
 Subject: Re: Security Info (root broken)
 Precedence: bulk
 
 
> of (thanks for nothing, security thru obscurity folks - the crackers DO
> have information that is denied us 'ordinary' folks).  This was a new
> install, and it lasted about 4 days.   One person heard thru the cracker
> grapvine that root was broken thru /bin/mail.  HOW?!  The permissions-
> fixing script from Sun had been run, plus things like arp, chill and
 
 the bug in /bin/mail is fairly well known (not the one that sunos has a 
 patch out for, but the one after - after the 8lgm advisory about this, 
 there was some talk in comp.security.unix about any setuid root /bin/mail 
 being vunerable) as well as that "Guide to securing you SunOS 4.1.3 
 machine" artical talked alot about that (btw: is anyone maintaining that? 
 it's a great file) i don't think CERT or sun has an advisory or patch for 
 it... just the ones mentioned in comp.security.unix
 
> Can someone out there please infomrm me how these cracker types are getting
> root privs, and how one can stop it short of disconnecting the machine?
> And most important, how one can test for these vulnerabilities, and FIX
> them.  Is there a hole in /bin/mail?  How does one test for it (I am working
> on a port of net-2s /bin/mail replacement).  Also, how can one prevent
 
 yes there is a bug in /bin/mail - if it is setuid root (ie: used as a 
 delivery agent) it can be exploited to gain root access. there was an 
 advisory about this ages ago (i forget who, some guy called Joerg 
 Czeranski wrote it i think) - his solution was to use a local delivery 
 agent he wrote called mail.local - if you want to close this hole, chmod 
 u-s /bin/mail, install either procmail or the mail.local (which i have 
 yet to find anywhere, procmail is easy to find... (i forget where.. 
 archie is your friend), and then edit your Mlocal line in 
 /etc/sendmail.cf to be procmail instead of /bin/mail
 
 as for the bug in it... umm.. well.. i dunno.. there is one (i won't be 
 like jsz and say 'perhaps') and it is fairly well known and exploited.