Bugtraq mailing list archives
Re: Solaris mailx hole
From: aleph1 () underground org (Aleph One)
Date: Sun, 4 Aug 1996 00:04:50 -0700
From: rk () queens netuse de (Roland Kaltefleiter) In netuse.lists.bugtraq you write:
On Mon, 1 Jul 1996, Marc Mosko/jfrank/us wrote:
Today, someone told me that there's a security hold in Solaris 2.3's mailx program. They didn't have all the details, but said that by creating a "temp" file they could link to an ".rhosts" file and then rlogin as root on the target machine. Somehow this involved mailx. This sound a bit like the race condition hack for ps.... On my systems (Solaris 2.3) mailx is "r-x--s--x bin mail". The machines this worked on were 2.5, but as I said I don't have any real details. Has anyone heard of this? Thanks, Marc Mosko
It's a very very old hole in /bin/mail that allows race conditions in which .rhosts files can be created...
I would have thought this was fixed by 2.5, but it wasn't. My boss just a few minutes ago exploited it on a sol2.5 machine.
Hmm, whatever hi did, it was *NOT* a 2.5 from stock. FYI: Solaris 2.5: $ uname -a SunOS www 5.5 Generic_103093-02 sun4d sparc SUNW,SPARCserver-1000 $ ls -l /usr/bin/mail -r-x--s--x 1 bin mail 66052 Oct 25 1995 /usr/bin/mail $ ls -l /bin lrwxrwxrwx 1 root root 9 Jun 22 21:30 /bin -> ./usr/bin $ ls -l /usr/bin/mailx -r-x--s--x 1 bin mail 133460 Oct 25 1995 /usr/bin/mailx And the sendmail.cf PROTOTYPE tells you: Mlocal, P=/usr/lib/mail.local, F=flsSDFMmnP, S=10, R=20, A=mail.local -d $u $ ls -l /usr/lib/mail.local -r-xr-xr-x 1 bin bin 12396 Oct 25 1995 /usr/lib/mail.local So whaterver you did, you did misconfigure your Solaris 2.5. I assume, you did took over you sendmail.cf, and when sendmail runs as root, it starts the localmailer as root. /usr/bin/mail HAS NOT BEED MADE for that. You will even hack sendmail 8.7.5 that way. So update your sendmail.cf :-)
*sigh*
So how do you want to get root access with a set-gid - mail Program ? Roland
Current thread:
- Re: Solaris mailx hole Aleph One (Aug 04)