Re: /bin/mail...

[karl () bagpuss demon co uk (Karl Strickland)]

> Good Morning,
>
>   After playing with the race condition this morning, I honestly don't
>   see how the patch made it worse. (Unless I've got the scripts
>   backwards.) The first exploit allowed you to create or append to any
>   file. The second exploit only allows you to create any file. Yeah, it
>   probably makes people feel more secure, but it's silly if they feel
>   safe. So, after the patch, you can atleast not append to /etc/passwd
>   or whatever. As well, it seems that if there is an alias for the 0 UID
>   user, the problem doesn't exist. (Atleast I didn't see an option for
>   not doing an alias with binmail. I could be wrong.) As well, even if
>   you could write to /etc/passwd (/etc/shadow) it doesn't parse past
>   bogus lines. (ie. the mail headers) 
>
>   Please let me know if I'm wrong in any of these statements.

You are :-)

Please read the advisories again - carefully this time :-)  Its important to
note that the exploit scripts are not the be-all and end-all of a problem;
they're simply a demonstration.  The 2nd mail advisory says:

       "Note that this script will only create new files, not append
        to existing ones (as did the one in the previous advisory).
        A variation on this script could easily be written to append
        to existing files.  On the other hand, you are now virtually
        guaranteed to win this race, which is what makes this problem
        worse than the original."

Yours,
Karl Strickland.
-- 
------------------------------------------+-----------------------------------
Mailed using ELM on FreeBSD               |                    Karl Strickland
PGP 2.3a Public Key Available.            | Internet: karl () bagpuss demon co uk
                                          |