[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Vulnerabilities in /bin/mail

Title: Vulnerabilities in /bin/mail
Released by: CERT
Date: 26th January 1995
Printable version: Click here
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1





=============================================================================

CERT(*) Advisory CA-95:02

Original issue date: January 26, 1995

Last revised: September 23, 1997

                Updated Copyright statement



Topic: Vulnerabilities in /bin/mail

- -----------------------------------------------------------------------------



            *** This advisory supersedes CA-91:01a and CA-91:13. ***



There are vulnerabilities in some versions of /bin/mail. Section III below

provides vendor-specific information and an alternative to /bin/mail.



We will update this advisory as we receive additional information.

Please check advisory files regularly for updates that relate to your site.

- -----------------------------------------------------------------------------



I.   Description



     Some versions of /bin/mail based on BSD 4.3 UNIX are vulnerable

     because of timing windows in the way /bin/mail uses publicly writable

     directories.



II.  Impact



     Local users (users that have an account on the system) can create

     or modify root-owned files on the system and can thereby gain

     unauthorized root access.



III. Solutions



     Either install a patch from your vendor or replace /bin/mail with

     mail.local.



     A.  Obtain the appropriate patch from your vendor and install it

         according to the instructions included with the patch.



         Below is a summary of the vendors listed in Appendix A of this

         advisory and the information they have provided. If your vendor's

         name is not on this list, please contact the vendor directly.



         Vendor or Source                   Status

         ----------------                   ------------

         Apple Computer, Inc.               not vulnerable

         Berkeley SW Design, Inc. (BSDI)    not vulnerable

         Data General Corp.                 not vulnerable

         Digital Equipment Corp.            vulnerable, patches available

         FreeBSD                            not vulnerable

         Harris                             not vulnerable

         IBM                                not vulnerable

         NetBSD                             not vulnerable

         NeXT, Inc.                         not vulnerable

         Pyramid                            not vulnerable

         The Santa Cruz Operation (SCO)     see note in Appendix A

         Solbourne (Grumman)                vulnerable - contact vendor

         Sun Microsystems, Inc.             SunOS 4.x vulnerable, patches

                                              available, patch revisions

                                              coming soon

                                            Solaris 2.x not vulnerable



     B. Replace /bin/mail with mail.local.



        If you cannot obtain a vendor-supplied replacement for /bin/mail, the

        CERT Coordination Center recommends using mail.local as a replacement

        for /bin/mail.



        Although the current version of mail.local is not a perfect solution,

        it addresses the vulnerabilities currently being exploited in

        /bin/mail.



        mail.local is now provided with the lastest version of sendmail.

        That version can be found at



        http://info.cert.org/pub/tools/sendmail/sendmail-latest*





        The original version of mail.local has been tested on SunOS 4.1

        and Ultrix 4.X systems.



        Mail.local.c for BSD 4.3 systems, along with a README file containing

        installation instructions, can be found on the anonymous FTP servers

        listed below.



        Location

        --------

        http://info.cert.org/pub/tools/mail.local/mail.local.c

        MD5  c0d64e740b42f6dc5cc54a2bc37c31b0



        http://coast.cs.purdue.edu/pub/tools/unix/mail.local/mail.local.c

        MD5  c0d64e740b42f6dc5cc54a2bc37c31b0



...............................................................................



Appendix A: Vendor Information



Below is information we have received from vendors who have patches available

or upcoming for the vulnerabilities described in this advisory, as well as

vendors who have confirmed that their products are not vulnerable. If your

vendor's name is not in one of these lists, contact the vendor directly for

information on whether their version of sendmail is vulnerable and, if so, the

status of patches to address the vulnerabilities.



NOT VULNERABLE

- --------------

The following vendors have reported that their products are NOT vulnerable.

         Apple Computer, Inc.

         Berkeley SW Design, Inc. (BSDI)

         Data General Corp.

         Harris

         IBM

         NeXT, Inc.

         Pyramid

         The Santa Cruz Operation (SCO) - not vulnerable, but see note below

         Sun Microsystems, Inc. - Solaris 2.x (SunOS 4.x is vulnerable; see

                                               below)



In addition, we have reports that the following products are NOT vulnerable.

         FreeBSD

         NetBSD



VULNERABLE

- ----------

We have reports that the following vendors' products ARE vulnerable.

Patch information is provided below.



- -----------------------------

Digital Equipment Corporation



Vulnerable:  DEC OSF/1 versions 1.2, 1.3, and 2.0

             DEC ULTRIX versions 4.3, 4.3A, and 4.4



Obtain and install the appropriate patch according to the instructions

included with the patch. The patch that corrects the /bin/mail problem in each

case is part of a comprehensive Security Enhanced Kit that addresses other

problems as well. This kit has been available since May 17, 1994. It is

described in DEC security advisory #0505 and in CERT bulletin VB-94:02.



        1. DEC OSF/1

           Upgrade/install OSF/1 to a minimum of V2.0 and

           install Security Enhanced Kit CSCPAT_4061 v1.0.



        2. DEC ULTRIX

           Upgrade/install ULTRIX to a minimum of V4.4 and

           install Security Enhanced Kit CSCPAT_4060 v1.0.



Both kits listed above are available from Digital Equipment Corporation by

contacting your normal Digital support channel or by request via DSNlink for

electronic transfer.



- -----------------------------

The Santa Cruz Operation (SCO)



SCO's version of /bin/mail is not vulnerable to the problems mentioned

in this advisory. SCO's /bin/mail is not setuid-root. However, SCO's

/bin/mail has other security-related issues that are fixed by SCO's

Support Level Supplement (SLS) uod392a. To get this:



ftp:    ftp.sco.COM:/SLS/uod392a.Z      (compressed disk image)

        ftp.sco.COM:/SLS/uod392a.ltr.Z  (cover letter)

        ftp.sco.COM:/SLS/README



- -----------------------------

Solbourne



Grumman System Support Corporation now performs all Solbourne

software and hardware support. Please contact them for further

information.



        ftp: ftp.nts.gssc.com

        phone: 1-800-447-2861

        e-mail: support@nts.gssc.com



- -----------------------------

Sun Microsystems, Inc.



Current patches are listed below:



        SunOS      Patch              MD5 Checksum

        ------     -----              ------------

        4.1.3      100224-13.tar.Z    90a507017a1a40c4622b3f1f00ce5d2d

        4.1.3U1    101436-08.tar.Z    0e64560edc61eb4b3da81a932e8b11e1



        The patches can be obtained from local Sun Answer Centers and

        through anonymous FTP from ftp.uu.net in the /systems/sun/sun-dist

        directory. In Europe, the patches are available from mcsun.eu.net

        in the /sun/fixes directory.





- ---------------------------------------------------------------------------

The CERT Coordination Center thanks Eric Allman, Wolfgang Ley, Karl

Strickland, Wietse Venema, and Neil Woods for their contributions to

mail.local.

- ---------------------------------------------------------------------------



If you believe that your system has been compromised, contact the CERT

Coordination Center or your representative in Forum of Incident

Response and Security Teams (FIRST).



If you wish to send sensitive incident or vulnerability information to

CERT staff by electronic mail, we strongly advise that the e-mail be

encrypted.  The CERT Coordination Center can support a shared DES key, PGP

(public key available via anonymous FTP on info.cert.org), or PEM (contact

CERT staff for details).



Internet E-mail: cert@cert.org

Telephone: +1 412-268-7090 (24-hour hotline)

           CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),

           and are on call for emergencies during other hours.

Fax: +1 412-268-6989



CERT Coordination Center

Software Engineering Institute

Carnegie Mellon University

Pittsburgh, PA 15213-3890

USA



Past advisories, CERT bulletins, information about FIRST representatives,

and other information related to computer security are available for anonymous

FTP from info.cert.org.



- ------------------------------------------------------------------------------



Copyright 1995, 1996 Carnegie Mellon University. Conditions for use,

disclaimers, and sponsorship information can be found in

http://www.cert.org/legal_stuff.html and http://ftp.cert.org/pub/legal_stuff .

If you do not have FTP or web access, send mail to cert@cert.org with

"copyright" in the subject line.



CERT is registered in the U.S. Patent and Trademark Office.







~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Revision history



Sep. 23 1997   Updated Copyright statement

Nov. 21, 1996  Removed Appendices B & C.

               Sec. B, paragraph 3 - updated information about the location

                 of mail.local.

Aug. 30, 1996  Information previously in the README was inserted

                into the advisory, and URL formats were updated.

June 09, 1995  Appendix A - corrected patch information from Sun.























-----BEGIN PGP SIGNATURE-----

Version: PGP for Personal Privacy 5.0

Charset: noconv



iQA/AwUBOBTAeFr9kb5qlZHQEQITAQCePwje4ATPVqt7ZKikCZMCvulMPU8An3jP

TXcJOa7sTOG/X+grTbv2GJXm

=siME

-----END PGP SIGNATURE-----








(C) 1999-2000 All rights reserved.