Re: Solaris mailx hole

[aleph1 () underground org (Aleph One)]

From: rk () queens netuse de (Roland Kaltefleiter)

In netuse.lists.bugtraq you write:

> On Mon, 1 Jul 1996, Marc Mosko/jfrank/us wrote:

> > Today, someone told me that there's a security hold in Solaris 2.3's mailx
> > program.  They didn't have all the details, but said that by creating a "temp"
> > file they could link to an ".rhosts" file and then rlogin as root on the target
> > machine.  Somehow this involved mailx.  This sound a bit like the race
> > condition hack for ps....
> >
> > On my systems (Solaris 2.3) mailx is "r-x--s--x bin mail".  The machines this
> > worked on were 2.5, but as I said I don't have any real details.
> >
> > Has anyone heard of this?
> >
> > Thanks,
> > Marc Mosko

> It's a very very old hole in /bin/mail that allows race conditions in
> which .rhosts files can be created...

> I would have thought this was fixed by 2.5, but it wasn't. My boss just a
> few minutes ago exploited it on a sol2.5 machine.

Hmm, whatever hi did, it was *NOT* a 2.5 from stock.

FYI:

Solaris 2.5:
$ uname -a
SunOS www 5.5 Generic_103093-02 sun4d sparc SUNW,SPARCserver-1000
$ ls -l /usr/bin/mail
-r-x--s--x   1 bin      mail       66052 Oct 25  1995 /usr/bin/mail
$ ls -l /bin
lrwxrwxrwx   1 root     root           9 Jun 22 21:30 /bin -> ./usr/bin
$ ls -l /usr/bin/mailx
-r-x--s--x   1 bin      mail      133460 Oct 25  1995 /usr/bin/mailx

And the sendmail.cf PROTOTYPE tells you:

Mlocal, P=/usr/lib/mail.local, F=flsSDFMmnP, S=10, R=20, A=mail.local -d $u
$ ls -l /usr/lib/mail.local
-r-xr-xr-x   1 bin      bin        12396 Oct 25  1995 /usr/lib/mail.local

So whaterver you did, you did misconfigure your Solaris 2.5.

I assume, you did took over you sendmail.cf, and when sendmail runs as root,
it starts the localmailer as root. /usr/bin/mail HAS NOT BEED MADE for that.
You will even hack sendmail 8.7.5 that way.

So update your sendmail.cf :-)

> *sigh*

So how do you want to get root access with a set-gid - mail Program ?

Roland