Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 13 Apr 2002 14:26:33 -0400
From:      "Charles M. Richmond" <cmr@iisc.com>
To:        security@FreeBSD.ORG
Subject:   Re: [Corrected message] This OpenBSD local root hole may affect some FreeBSD systems 
Message-ID:  <200204131826.OAA26250@koibito.iisc.com>
In-Reply-To: Your message of "Sat, 13 Apr 2002 10:06:29 PDT." <200204131706.g3DH6T117776@mikko.rsa.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

>>Up-to-date patched Solaris 8:
>>...
>>amaterasu $ echo "~\!touch foo" | mail cmr
>>amaterasu $ ls -l foo
>>foo: No such file or directory

>Try "mailx" or /usr/ucb/mail...

First: 
amaterasu%  ls -l /usr/ucb/mail /usr/bin/mailx
-r-x--s--x   1 root  mail 126880 Mar  6 18:01 /usr/bin/mailx
lrwxrwxrwx   1 root  root     12 Mar 31  2001 /usr/ucb/mail -> 
../bin/mailx

So we only need to try one.

amaterasu% echo "~\!touch foo" | mailx cmr
!
No message !?!
amaterasu% ls -l foo
-rw-r--r--   1 cmr      staff          0 Apr 13 13:21 foo

So yes the BSD mailx/mail has the bug. Also I do not see a bug 
report on sunsolve.sun.com. On the otherhand it appears that the 
tilde command is not operating with the effective UID but with the
actual UID. Even though mailx is SGID mail and the root maibox is 
group readable for mail:

ls -l /var/mail
total 18
drwxrwxr-x   2 root     mail         512 Oct 25 08:34 :saved
-rw-rw----   1 cmr      mail         318 Apr 13 14:04 cmr
-rw-rw----   1 root     mail        7090 Mar 28 03:10 root

amaterasu% echo "~\!cat /var/mail/root" | mailx cmr 
cat: cannot open /var/mail/root
!
No message !?!


Does this mitigate the problem sufficiently?

Charles Richmond

PS: I have the source CDs for Solaris, I've just been too lazy to 
open them up. Is the mailx utility on the distributed source?

***********************************************************************
*  Charles Richmond    Integrated International Systems Corporation   *
*  cmr@iisc.com   cmr@acm.org   cmr@shore.net   http://www.iisc.com   *
*  UNIX Internals, I18N, L10N, X, Realtime Imaging, and  Custom S/W   *
*         131 Bishop's Forest Drive , Waltham , Ma. USA 02452         *
*  (781) 647 2269   FAX (781) 647 3665   Cellular (781) 389 9777      *
***********************************************************************


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200204131826.OAA26250>