Re: Security Info (root broken)
Karl Strickland (karl@bagpuss.demon.co.uk)
Thu, 29 Sep 1994 21:11:18 +0100 (BST)
>
> > >>>>> On Thu, 29 Sep 1994 07:04:44 -0600 (CDT), Pug <pug@arlut.utexas.edu> said:
> > >> This was a new
> > >> install, and it lasted about 4 days. One person heard thru the cracker
> > >> grapvine that root was broken thru /bin/mail.
> > P> Did you happen to install the following, in particular 101436-02?
> > P> Solaris 1.1.1 Patches Containing Security Fixes:
> > P> ------------------------------------------------
> > P> 101436-02 SunOS 4.1.3_U1: bin/mail jumbo patch
> > This is the patch which made the race condition *easier* to exploit
> > than it was in the unpatched version.
>
> As I remember the race condition, you don't have a problem if you don't
> allow the 'r' commands into your system. The race condition created a
Sorry, this is bollocks. Its nothing to do with 'r' commands - it just
happened that the exploit script used .rhosts & rsh or whatever to
demonstrate the problem. The problem is that files can be created/modified
anywhere in the filesystem. If you want more info, grab the original
advisories from the fileserver. Heres the info:
ANNOUNCING THE [8LGM] FILESERVER & MAILING LIST INFO
FILESERVER:
After getting flooded with requests for advisories, we've setup
a fileserver to try and make things a bit easier. Unfortunately,
we're not currently in a position to be able to offer or maintain
an FTP site. (Thanks to those who offered us some space on their
systems though!)
To access the fileserver, send a message to
8lgm-fileserver@bagpuss.demon.co.uk
Eg:
$ echo help | mail 8lgm-fileserver@bagpuss.demon.co.uk
The help file is included at the end of this message. We
anticipate a large number of mails to this server, hence its
mail is being processed on another mailqueue, which will be
flushed when the load on the system is low. (bagpuss.demon.co.uk
is just a PC - albeit a wonderful one - with an already heavy
load). Replies will often take 24 hours, and sometimes up to 48
hours, but this will still be quicker than we were able to reply
to the requests by hand.
People asking for ../../../../../../../../etc/passwd will be
frowned upon :-)
MAILING LIST:
A reminder for those not on our mailing list. The mailing list
is only used for mailing advisories, there is no 'junk mail'
(except this one :-)). To get on it, send mail to:
8lgm-request@bagpuss.demon.co.uk
Mail to this address is processed automatically, and you wont
usually get a reply - but wherever you mail from *will* be added
to the list.
If you need an address adding to the list which you cannot mail
from, send mail to 8lgm@bagpuss.demon.co.uk, and we'll add it
manually.
-----------------------------------------------------------------------------
Here is the help file from the server:
The [8lgm]-Fileserver recognises the following commands:
HELP (gets you this file)
LIST (lists files available)
SEND filename (sends filename)
QUIT
Commands must be sent in the message body to
8lgm-fileserver@bagpuss.demon.co.uk
(Commands sent in the Subject: line are ignored).
Multiple commands can be sent in one message.
The * wildcard is understood in filename.
A typical request might be:
list
send *
quit
If you have any problems, please mail to 8lgm@bagpuss.demon.co.uk.
------------------------------------------------------------------------------
A list of files currently available:
[8lgm]-Advisory-1.UNIX.rdist.23-Apr-1991
[8lgm]-Advisory-2.UNIX.autoreply.12-Jul-1991
[8lgm]-Advisory-3.UNIX.lpr.19-Aug-1991
[8lgm]-Advisory-4.UNIX.gopher.12-Feb-1992
[8lgm]-Advisory-5.UNIX.mail.24-Jan-1992
[8lgm]-Advisory-5.UNIX.mail.24-Jan-1992.PATCH
[8lgm]-Advisory-6.UNIX.mail2.2-May-1994
[8lgm]-Advisory-7.UNIX.passwd.11-May-1994
[8lgm]-Advisory-7.UNIX.passwd.11-May-1994.NEWFIX
[8lgm]-Advisory-Introduction