Re: Security Info (root broken)
Mark Graff (Mark.Graff@Corp.Sun.COM)
Thu, 29 Sep 1994 14:58:19 -0700
Several people have asked about the status of Sun's /bin/mail patches.
The quick status is that we will be issuing another patch within the
next few days. It fixes the problems pointed out in the two postings
from 8LGM and one or two others that were uncovered in the course of
testing. This version has been extensively tested; and the last external
tester reported success just this morning. Now all that remains is to
package, release, and announce it.
I think the original poster also wanted to know how to get information
about security patches from Sun. The answer there, if you are seeking
official information, is either to use the Answer Centers or
security-alert@sun.com (which I maintain).
Mark Graff
p.s. Followups to security-alert@sun.com, not me personally, please. The
"official" alias is better attended and is read even when I am out of
comm.
From bugtraq-owner@fc.net Wed Sep 28 19:27:22 1994
Date: Wed, 28 Sep 1994 19:13:38 -0400 (EDT)
To: Pat Myrto <rwing!pat@ole.cdac.com>
Cc: bugtraq@crimelab.com
Subject: Re: Security Info (root broken)
Precedence: bulk
> of (thanks for nothing, security thru obscurity folks - the crackers DO
> have information that is denied us 'ordinary' folks). This was a new
> install, and it lasted about 4 days. One person heard thru the cracker
> grapvine that root was broken thru /bin/mail. HOW?! The permissions-
> fixing script from Sun had been run, plus things like arp, chill and
the bug in /bin/mail is fairly well known (not the one that sunos has a
patch out for, but the one after - after the 8lgm advisory about this,
there was some talk in comp.security.unix about any setuid root /bin/mail
being vunerable) as well as that "Guide to securing you SunOS 4.1.3
machine" artical talked alot about that (btw: is anyone maintaining that?
it's a great file) i don't think CERT or sun has an advisory or patch for
it... just the ones mentioned in comp.security.unix
>
> Can someone out there please infomrm me how these cracker types are getting
> root privs, and how one can stop it short of disconnecting the machine?
> And most important, how one can test for these vulnerabilities, and FIX
> them. Is there a hole in /bin/mail? How does one test for it (I am working
> on a port of net-2s /bin/mail replacement). Also, how can one prevent
yes there is a bug in /bin/mail - if it is setuid root (ie: used as a
delivery agent) it can be exploited to gain root access. there was an
advisory about this ages ago (i forget who, some guy called Joerg
Czeranski wrote it i think) - his solution was to use a local delivery
agent he wrote called mail.local - if you want to close this hole, chmod
u-s /bin/mail, install either procmail or the mail.local (which i have
yet to find anywhere, procmail is easy to find... (i forget where..
archie is your friend), and then edit your Mlocal line in
/etc/sendmail.cf to be procmail instead of /bin/mail
as for the bug in it... umm.. well.. i dunno.. there is one (i won't be
like jsz and say 'perhaps') and it is fairly well known and exploited.