Re: sendmail exploit script - resend
Casper Dik (casper@fwi.uva.nl)
Mon, 28 Mar 94 12:04:33 +0200
program will be executed when mail is sent to the fake alias.
>># since solaris sh and csh and tcsh refuse to run when euid != realuid,
>># we instead run the program we compiled above.
>
>Does anyone know quite what the logic behind these shell checks are? They're
>just a pain and a stumbling block that are trivial to work around. Is it only
>Sun derived things that do this?
The check was first implemented in the csh, it was already in the 4.x BSD
csh. From there it automatically went into tcsh. The Solaris Bourne
shell does reset it's effective uid and effective gid, unless invoked
with the -p flag. I'm not sure what the rationale is, but it does
function as a rear guard against sloppy set-uid/set-gid programs.
(E.g., a set-uid program can safely do popen and system in Solaris w/o
restting the effective uid. Of course, you shouldn't count on it when
writing set-uid programs, but it would prevent stuff like the IFS
hole in rdist. And, for those cases there's no work around that you can use
to still abuse the hole)
In Solaris 2.x it prevents executing a shell with egid=sys from inside
crash. /usr/kvm/crash is set-gid sys, but shouldn't be. This error
has migrated to Solaris 2.x from SunOS.
The fix is easy: chmod g-s /usr/kvm/crash.
Note that /usr/kvm/crash can be used for unrestricted kernel browsing
by mere mortals anyway, so removing the set-gid bit is recommended.
Casper