Bugtraq mailing list archives
Re: Solaris mailx hole
From: casper () holland Sun COM (Casper Dik)
Date: Tue, 2 Jul 1996 10:00:57 +0200
It's a very very old hole in /bin/mail that allows race conditions in which .rhosts files can be created... I would have thought this was fixed by 2.5, but it wasn't. My boss just a few minutes ago exploited it on a sol2.5 machine.
Very interesting.
In Solaris 2.5,
/usr/bin/mail is set-gid mail, not set-uid root
/usr/bin/mailx is set-gid mail, not set-uid root
/usr/lib/sendmail doesn't use /bin/mail for the delivery of
mail, it uses /usr/lib/mail.local
If there's a problem I really want to get it fixed, but considering that
mail delivery uses an entirely different program in Solaris 2.5, I find
it hard to believe that the 8lgm exploit still works.
Even in Solaris 2.3 with patches all I get is bounced mail with:
mail: '/var/mail/root' must be regular or character special file with no links
or no output at all.
(this is with /bin/mail patch 101574-04 but the readme doesn't list any
security fixes)
Casper
Current thread:
- Solaris mailx hole Marc Mosko/jfrank/us (Jun 30)
- Re: Solaris mailx hole Andy Dills (Jul 01)
- Re: Solaris mailx hole Casper Dik (Jul 02)
- Re: Solaris mailx hole Andy Dills (Jul 02)
- CD4300 series BUG DANIEL .D .EZEKIEL (Jul 02)
- Re: BoS: Re: Solaris mailx hole Travis Hassloch x231 (Jul 02)
- Re: Solaris mailx hole Dave Roberts (Jul 03)
- Re: Solaris mailx hole Andy Dills (Jul 03)
- [8lgm]-Advisory-26.UNIX.rdist.20-3-1996 [Forwarded e-mail from Jeff Uphoff (Jul 03)
- BoS: *** SECURITY ALERT *** (fwd) Michael Brennen (Jul 03)
- BoS: *** SECURITY ALERT *** (fwd) Mark_W_Loveless () smtp bnr com (Jul 04)
- IIS bug test Paolo Taraboi (Jul 04)
- IMAPD security problems ? Zvi Bar-Deroma (Jul 04)
- Re: Solaris mailx hole Casper Dik (Jul 02)
(Thread continues...)
- Re: Solaris mailx hole Andy Dills (Jul 01)