From owner-freebsd-security  Fri Apr 12 12:20:38 2002
Delivered-To: freebsd-security@freebsd.org
Received: from borja.sarenet.es (borja.sarenet.es [192.148.167.77])
	by hub.freebsd.org (Postfix) with ESMTP id 6047937B400
	for <security@freebsd.org>; Fri, 12 Apr 2002 12:20:33 -0700 (PDT)
Received: from there (localhost [127.0.0.1])
	by borja.sarenet.es (8.11.6/8.11.6) with SMTP id g3CJKV265588
	for <security@freebsd.org>; Fri, 12 Apr 2002 21:20:31 +0200 (CEST)
	(envelope-from borjamar@sarenet.es)
Message-Id: <200204121920.g3CJKV265588@borja.sarenet.es>
Content-Type: text/plain;
  charset="iso-8859-1"
From: Borja Marcos <borjamar@sarenet.es>
To: security@freebsd.org
Subject: Re: [Corrected message] This OpenBSD local root hole may  affect some FreeBSD systems
Date: Fri, 12 Apr 2002 21:20:30 +0200
X-Mailer: KMail [version 1.3.2]
References: <4.3.2.7.2.20020411141011.030a0b80@nospam.lariat.org> <4.3.2.7.2.20020411235129.00ba5bc0@nospam.lariat.org>
In-Reply-To: <4.3.2.7.2.20020411235129.00ba5bc0@nospam.lariat.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Friday 12 April 2002 07:58, you wrote:
> That's good to know! It looks as if NetBSD and Darwin have this feature
> as well. But SunOS 5.8 doesn't (at least according to the docs at
> http://www.freebsd.org/cgi/man.cgi?query=3Dmail&apropos=3D0&sektion=3D0=
&manpath=3DS
>unOS+5.8&format=3Dhtml), so Solaris may be vulnerable.

=09I have just tested Solaris 8 and it is not vulnerable. However, this i=
s very=20
old news. I reported a security hole in SCO Unix to CERT in 1993. I used =
this=20
"feature" to modify root's crontab simply running a script which printed =
"~!=20
commands" from "at".

=09An a security problem with reverse fingers and TCP Wrapper (see Wietse=
=20
Venema's "Murphy's Laws and Computer Security") exploited exactly the sam=
e.=20
As far as I know, that behavior was removed from mail programs; they only=
=20
accept escape sequences (at least the ~!) when running from a terminal.



=09Borja.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message