Date: Fri, 12 Apr 2002 21:20:30 +0200 From: Borja Marcos <borjamar@sarenet.es> To: security@freebsd.org Subject: Re: [Corrected message] This OpenBSD local root hole may affect some FreeBSD systems Message-ID: <200204121920.g3CJKV265588@borja.sarenet.es> In-Reply-To: <4.3.2.7.2.20020411235129.00ba5bc0@nospam.lariat.org> References: <4.3.2.7.2.20020411141011.030a0b80@nospam.lariat.org> <4.3.2.7.2.20020411235129.00ba5bc0@nospam.lariat.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Friday 12 April 2002 07:58, you wrote: > That's good to know! It looks as if NetBSD and Darwin have this feature > as well. But SunOS 5.8 doesn't (at least according to the docs at > http://www.freebsd.org/cgi/man.cgi?query=3Dmail&apropos=3D0&sektion=3D0= &manpath=3DS >unOS+5.8&format=3Dhtml), so Solaris may be vulnerable. =09I have just tested Solaris 8 and it is not vulnerable. However, this i= s very=20 old news. I reported a security hole in SCO Unix to CERT in 1993. I used = this=20 "feature" to modify root's crontab simply running a script which printed = "~!=20 commands" from "at". =09An a security problem with reverse fingers and TCP Wrapper (see Wietse= =20 Venema's "Murphy's Laws and Computer Security") exploited exactly the sam= e.=20 As far as I know, that behavior was removed from mail programs; they only= =20 accept escape sequences (at least the ~!) when running from a terminal. =09Borja. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200204121920.g3CJKV265588>