> > > >>>>> On Thu, 29 Sep 1994 07:04:44 -0600 (CDT), Pug <pug@arlut.utexas.edu> said: > > >> This was a new > > >> install, and it lasted about 4 days. One person heard thru the cracker > > >> grapvine that root was broken thru /bin/mail. > > P> Did you happen to install the following, in particular 101436-02? > > P> Solaris 1.1.1 Patches Containing Security Fixes: > > P> ------------------------------------------------ > > P> 101436-02 SunOS 4.1.3_U1: bin/mail jumbo patch > > This is the patch which made the race condition *easier* to exploit > > than it was in the unpatched version. > > As I remember the race condition, you don't have a problem if you don't > allow the 'r' commands into your system. The race condition created a Sorry, this is bollocks. Its nothing to do with 'r' commands - it just happened that the exploit script used .rhosts & rsh or whatever to demonstrate the problem. The problem is that files can be created/modified anywhere in the filesystem. If you want more info, grab the original advisories from the fileserver. Heres the info: ANNOUNCING THE [8LGM] FILESERVER & MAILING LIST INFO FILESERVER: After getting flooded with requests for advisories, we've setup a fileserver to try and make things a bit easier. Unfortunately, we're not currently in a position to be able to offer or maintain an FTP site. (Thanks to those who offered us some space on their systems though!) To access the fileserver, send a message to 8lgm-fileserver@bagpuss.demon.co.uk Eg: $ echo help | mail 8lgm-fileserver@bagpuss.demon.co.uk The help file is included at the end of this message. We anticipate a large number of mails to this server, hence its mail is being processed on another mailqueue, which will be flushed when the load on the system is low. (bagpuss.demon.co.uk is just a PC - albeit a wonderful one - with an already heavy load). Replies will often take 24 hours, and sometimes up to 48 hours, but this will still be quicker than we were able to reply to the requests by hand. People asking for ../../../../../../../../etc/passwd will be frowned upon :-) MAILING LIST: A reminder for those not on our mailing list. The mailing list is only used for mailing advisories, there is no 'junk mail' (except this one :-)). To get on it, send mail to: 8lgm-request@bagpuss.demon.co.uk Mail to this address is processed automatically, and you wont usually get a reply - but wherever you mail from *will* be added to the list. If you need an address adding to the list which you cannot mail from, send mail to 8lgm@bagpuss.demon.co.uk, and we'll add it manually. ----------------------------------------------------------------------------- Here is the help file from the server: The [8lgm]-Fileserver recognises the following commands: HELP (gets you this file) LIST (lists files available) SEND filename (sends filename) QUIT Commands must be sent in the message body to 8lgm-fileserver@bagpuss.demon.co.uk (Commands sent in the Subject: line are ignored). Multiple commands can be sent in one message. The * wildcard is understood in filename. A typical request might be: list send * quit If you have any problems, please mail to 8lgm@bagpuss.demon.co.uk. ------------------------------------------------------------------------------ A list of files currently available: [8lgm]-Advisory-1.UNIX.rdist.23-Apr-1991 [8lgm]-Advisory-2.UNIX.autoreply.12-Jul-1991 [8lgm]-Advisory-3.UNIX.lpr.19-Aug-1991 [8lgm]-Advisory-4.UNIX.gopher.12-Feb-1992 [8lgm]-Advisory-5.UNIX.mail.24-Jan-1992 [8lgm]-Advisory-5.UNIX.mail.24-Jan-1992.PATCH [8lgm]-Advisory-6.UNIX.mail2.2-May-1994 [8lgm]-Advisory-7.UNIX.passwd.11-May-1994 [8lgm]-Advisory-7.UNIX.passwd.11-May-1994.NEWFIX [8lgm]-Advisory-Introduction