-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===============================================================================
>>                                                      CERT-NL, 01-Mar-2000 <<
>> All CERT-NL information has been moved to http://cert.surfnet.nl.  Links  <<
>> to CERT-NL information contained in this advisory are therefore outdated. <<
>>                                                                           <<
>> CERT-NL also has stopped the CERT-CC-Mirror service.  Due to this the     <<
>> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the  <<
>> complete CERT-CC advisory texts:                     http://www.cert.org  <<
===============================================================================
===============================================================================
Security Advisory                                                       CERT-NL
===============================================================================
Author/Source : Gert Meijerink & Don Stikvoort              Index  :    S-95-05
Distribution  : World                                       Page   :          1
Classification: External                                    Version:      Final
Subject       : /bin/mail vulnerabilities                   Date   :  30-Jan-95
===============================================================================

By courtesy of CERT/CC we received the following information about 
vulnerabilities in /bin/mail. It is an updated version of CERT Advisory 
CA-95:02 of January 26, 1995.

We advise you to take very good notice if this applies to your situation,
and take relevant steps. However we do warn you that the current fix has some
flaws, which are addressed in the following disclaimer, for which we thankfully
acknowledge Gene Spafford of the Purdue CERT.  

- -- Start disclaimer 

We encourage local site admins to read this advisory.  Note, however, that the 
version of mail.local distributed by the CERT may not be appropriate to 
install on your system for the following reasons:
  * it does not compile properly on every version of Unix where you may
    be running sendmail and need to apply it.  If it does not compile without
    error, be very careful about making changes to get it to compile -- the
    code uses some features that may not be fully portable.  Changes to this
    code should be made with great care so as not to introduce new 
    vulnerabilities.
  * there is a known flaw in the code that may allow users to corrupt
    the disk if they can write to /usr/spool/mail.  If your mail spool 
    directory is mode 1777, this flaw may be exploited and you probably
    should not install this code without carefully weighing the risk.

Also note that the code assumes your mail spool directory is located in 
/var/spool, and this is not the case on many machines.  The 
definition in the code may need to be changed.

- -- End disclaimer

In spite of this disclaimer however CERT-NL felt it necessary to not longer
delay the publication of this advisory. Any improvements to the fix will be
made available immediately through our infoserver - details see below.

===============================================================================

There are vulnerabilities in some versions of /bin/mail. Section III below
provides vendor-specific information and an alternative to /bin/mail.

As we receive additional information relating to this advisory, it will be 
placed, along with any clarifications, in an S-95-05.APPENDIX file 
available under:

ftp://ftp.nic.surfnet.nl/surfnet/net-security/cert-nl/docs/bulletin

The first version of this APPENDIX is distributed at the same time
as this advisory. Later versions will as a rule NOT be actively 
distributed by CERT-NL: so please check regularly if you deem this 
necessary.

- -----------------------------------------------------------------------------

I.   Description

     Some versions of /bin/mail based on BSD 4.3 UNIX are vulnerable 
     because of timing windows (a.k.a. race conditions) in the way /bin/mail 
     uses publicly writable directories.

II.  Impact

     Local users (users that have an account on the system) can create 
     or modify root-owned files on the system and can thereby gain
     unauthorized root access.

III. Solutions

     Either install a patch from your vendor or replace /bin/mail with
     mail.local .

     A.  Obtain the appropriate patch from your vendor and install it
         according to the instructions included with the patch.

         Below is a summary of the vendors listed in the current version of 
         the S-95-05.APPENDIX file, and the status they have provided.  
         More complete information, including how to obtain patches, is
         provided in the APPENDIX file itself, which will be updated as 
         more information from vendors is received.

         If your vendor's name is not on this list, please contact the vendor
         directly.
         {Note by courtesy of CIAC: Cray entry added  --CERT-NL}

         Vendor or Source                   Status
         ----------------                   ------------
         Apple Computer, Inc.               not vulnerable
         Berkeley SW Design, Inc. (BSDI)    not vulnerable
         Cray Research, Inc                 not vulnerable
         Data General Corp.                 not vulnerable      
         Digital Equipment Corp.            vulnerable, patches available
         FreeBSD                            not vulnerable
         Harris                             not vulnerable
         IBM                                not vulnerable 
         NetBSD                             not vulnerable
         NeXT, Inc.                         not vulnerable 
         Pyramid                            not vulnerable
         The Santa Cruz Operation (SCO)     see note in Appendix A
         Solbourne (Grumman)                vulnerable - contact vendor
         Sun Microsystems, Inc.             SunOS 4.x vulnerable, patches
                                              available, patch revisions
                                              coming soon
                                            Solaris 2.x not vulnerable
         {Note by courtesy of DFN CERT: if the patch 102042-01 for SunOS 5.4 
          (Solaris 2.4) for "backward compatibility of /bin/mail to 4.x 
          versions" will make the /bin/mail program vulnerable is not 
          clear  --CERT-NL}

     B. Replace /bin/mail with mail.local.

        If you cannot obtain a vendor-supplied replacement for /bin/mail, 
        using mail.local as a replacement for /bin/mail is recommended.

        Although the current version of mail.local is not a perfect solution,
        it addresses the vulnerabilities currently being exploited in
        /bin/mail. As improvements to mail.local become available, they will
        be noted in the README file associated with mail.local . 

        The current version of mail.local has been tested on SunOS 4.1
        and Ultrix 4.X systems.

        Mail.local.c for BSD 4.3 systems, along with its README file containing
        installation instructions, can be found under:.

  ftp://ftp.nic.surfnet.nl/surfnet/net-security/cert-nl/patches/mail.local
  MD5 checkusm for mail.local.c = c0d64e740b42f6dc5cc54a2bc37c31b0

- ---------------------------------------------------------------------------
The CERT Coordination Center thanks Eric Allman, Wolfgang Ley, Karl
Strickland, Wietse Venema, and Neil Woods for their contributions to
mail.local.
- ---------------------------------------------------------------------------
==============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet
is the Dutch network for educational, research and related institutes. CERT-NL
is a member of the Forum of Incident Response and Security Teams (FIRST).

All CERT-NL material is available under:
  http://cert.surfnet.nl/

In case of computer or network security problems please contact your local
CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet customer
please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).

   Email:     cert-nl@surfnet.nl     ATTENDED REGULARLY ALL DAYS
   Phone:     +31 302 305 305        BUSINESS HOURS ONLY
   Fax:       +31 302 305 329        BUSINESS HOURS ONLY
   Snailmail: SURFnet bv
              Attn. CERT-NL
              P.O. Box 19035
              NL - 3501 DA  UTRECHT
              The Netherlands

NOODGEVALLEN:    06 22 92 35 64      ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 22 92 35 64      ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.
===============================================================================

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i

iQA/AwUBOL6IDTSYjBqwfc9jEQInlACfWFRtGk8r5VM52nw3cNxT/lVmSh0AoNkW
3Px6q0BZAUWWA435DBsi2hfr
=VrNZ
-----END PGP SIGNATURE-----