Re: Security Info (root broken)

pluvius (pluvius@dragon.achilles.net)
Wed, 28 Sep 1994 19:13:38 -0400 (EDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Christopher Klaus: "Re: Security Info (root broken)"
Previous message: John Hawkinson: "Re: setuid scripts in SunOS 4.1.x"
In reply to: Pat Myrto: "Security Info (root broken)"
Next in thread: Charles R. Hoynowski: "Re: Security Info (root broken)"

> of (thanks for nothing, security thru obscurity folks - the crackers DO
> have information that is denied us 'ordinary' folks).  This was a new
> install, and it lasted about 4 days.   One person heard thru the cracker
> grapvine that root was broken thru /bin/mail.  HOW?!  The permissions-
> fixing script from Sun had been run, plus things like arp, chill and

the bug in /bin/mail is fairly well known (not the one that sunos has a 
patch out for, but the one after - after the 8lgm advisory about this, 
there was some talk in comp.security.unix about any setuid root /bin/mail 
being vunerable) as well as that "Guide to securing you SunOS 4.1.3 
machine" artical talked alot about that (btw: is anyone maintaining that? 
it's a great file) i don't think CERT or sun has an advisory or patch for 
it... just the ones mentioned in comp.security.unix

> 
> Can someone out there please infomrm me how these cracker types are getting
> root privs, and how one can stop it short of disconnecting the machine?
> And most important, how one can test for these vulnerabilities, and FIX
> them.  Is there a hole in /bin/mail?  How does one test for it (I am working
> on a port of net-2s /bin/mail replacement).  Also, how can one prevent

yes there is a bug in /bin/mail - if it is setuid root (ie: used as a 
delivery agent) it can be exploited to gain root access. there was an 
advisory about this ages ago (i forget who, some guy called Joerg 
Czeranski wrote it i think) - his solution was to use a local delivery 
agent he wrote called mail.local - if you want to close this hole, chmod 
u-s /bin/mail, install either procmail or the mail.local (which i have 
yet to find anywhere, procmail is easy to find... (i forget where.. 
archie is your friend), and then edit your Mlocal line in 
/etc/sendmail.cf to be procmail instead of /bin/mail

as for the bug in it... umm.. well.. i dunno.. there is one (i won't be 
like jsz and say 'perhaps') and it is fairly well known and exploited.

Next message: Christopher Klaus: "Re: Security Info (root broken)"
Previous message: John Hawkinson: "Re: setuid scripts in SunOS 4.1.x"
In reply to: Pat Myrto: "Security Info (root broken)"
Next in thread: Charles R. Hoynowski: "Re: Security Info (root broken)"