Subject /bin/mail vulnerabilities Date 30-Jan-95
09d7e8bc24fdeef500a58228880f37fc095ffd28dfccdd1f2fa86b2e38adf3c0
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===============================================================================
>> CERT-NL, 01-Mar-2000 <<
>> All CERT-NL information has been moved to http://cert.surfnet.nl. Links <<
>> to CERT-NL information contained in this advisory are therefore outdated. <<
>> <<
>> CERT-NL also has stopped the CERT-CC-Mirror service. Due to this the <<
>> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the <<
>> complete CERT-CC advisory texts: http://www.cert.org <<
===============================================================================
===============================================================================
Security Advisory CERT-NL
===============================================================================
Author/Source : Gert Meijerink & Don Stikvoort Index : S-95-05
Distribution : World Page : 1
Classification: External Version: Final
Subject : /bin/mail vulnerabilities Date : 30-Jan-95
===============================================================================
By courtesy of CERT/CC we received the following information about
vulnerabilities in /bin/mail. It is an updated version of CERT Advisory
CA-95:02 of January 26, 1995.
We advise you to take very good notice if this applies to your situation,
and take relevant steps. However we do warn you that the current fix has some
flaws, which are addressed in the following disclaimer, for which we thankfully
acknowledge Gene Spafford of the Purdue CERT.
- -- Start disclaimer
We encourage local site admins to read this advisory. Note, however, that the
version of mail.local distributed by the CERT may not be appropriate to
install on your system for the following reasons:
* it does not compile properly on every version of Unix where you may
be running sendmail and need to apply it. If it does not compile without
error, be very careful about making changes to get it to compile -- the
code uses some features that may not be fully portable. Changes to this
code should be made with great care so as not to introduce new
vulnerabilities.
* there is a known flaw in the code that may allow users to corrupt
the disk if they can write to /usr/spool/mail. If your mail spool
directory is mode 1777, this flaw may be exploited and you probably
should not install this code without carefully weighing the risk.
Also note that the code assumes your mail spool directory is located in
/var/spool, and this is not the case on many machines. The
definition in the code may need to be changed.
- -- End disclaimer
In spite of this disclaimer however CERT-NL felt it necessary to not longer
delay the publication of this advisory. Any improvements to the fix will be
made available immediately through our infoserver - details see below.
===============================================================================
There are vulnerabilities in some versions of /bin/mail. Section III below
provides vendor-specific information and an alternative to /bin/mail.
As we receive additional information relating to this advisory, it will be
placed, along with any clarifications, in an S-95-05.APPENDIX file
available under:
ftp://ftp.nic.surfnet.nl/surfnet/net-security/cert-nl/docs/bulletin
The first version of this APPENDIX is distributed at the same time
as this advisory. Later versions will as a rule NOT be actively
distributed by CERT-NL: so please check regularly if you deem this
necessary.
- -----------------------------------------------------------------------------
I. Description
Some versions of /bin/mail based on BSD 4.3 UNIX are vulnerable
because of timing windows (a.k.a. race conditions) in the way /bin/mail
uses publicly writable directories.
II. Impact
Local users (users that have an account on the system) can create
or modify root-owned files on the system and can thereby gain
unauthorized root access.
III. Solutions
Either install a patch from your vendor or replace /bin/mail with
mail.local .
A. Obtain the appropriate patch from your vendor and install it
according to the instructions included with the patch.
Below is a summary of the vendors listed in the current version of
the S-95-05.APPENDIX file, and the status they have provided.
More complete information, including how to obtain patches, is
provided in the APPENDIX file itself, which will be updated as
more information from vendors is received.
If your vendor's name is not on this list, please contact the vendor
directly.
{Note by courtesy of CIAC: Cray entry added --CERT-NL}
Vendor or Source Status
---------------- ------------
Apple Computer, Inc. not vulnerable
Berkeley SW Design, Inc. (BSDI) not vulnerable
Cray Research, Inc not vulnerable
Data General Corp. not vulnerable
Digital Equipment Corp. vulnerable, patches available
FreeBSD not vulnerable
Harris not vulnerable
IBM not vulnerable
NetBSD not vulnerable
NeXT, Inc. not vulnerable
Pyramid not vulnerable
The Santa Cruz Operation (SCO) see note in Appendix A
Solbourne (Grumman) vulnerable - contact vendor
Sun Microsystems, Inc. SunOS 4.x vulnerable, patches
available, patch revisions
coming soon
Solaris 2.x not vulnerable
{Note by courtesy of DFN CERT: if the patch 102042-01 for SunOS 5.4
(Solaris 2.4) for "backward compatibility of /bin/mail to 4.x
versions" will make the /bin/mail program vulnerable is not
clear --CERT-NL}
B. Replace /bin/mail with mail.local.
If you cannot obtain a vendor-supplied replacement for /bin/mail,
using mail.local as a replacement for /bin/mail is recommended.
Although the current version of mail.local is not a perfect solution,
it addresses the vulnerabilities currently being exploited in
/bin/mail. As improvements to mail.local become available, they will
be noted in the README file associated with mail.local .
The current version of mail.local has been tested on SunOS 4.1
and Ultrix 4.X systems.
Mail.local.c for BSD 4.3 systems, along with its README file containing
installation instructions, can be found under:.
ftp://ftp.nic.surfnet.nl/surfnet/net-security/cert-nl/patches/mail.local
MD5 checkusm for mail.local.c = c0d64e740b42f6dc5cc54a2bc37c31b0
- ---------------------------------------------------------------------------
The CERT Coordination Center thanks Eric Allman, Wolfgang Ley, Karl
Strickland, Wietse Venema, and Neil Woods for their contributions to
mail.local.
- ---------------------------------------------------------------------------
==============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet
is the Dutch network for educational, research and related institutes. CERT-NL
is a member of the Forum of Incident Response and Security Teams (FIRST).
All CERT-NL material is available under:
http://cert.surfnet.nl/
In case of computer or network security problems please contact your local
CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer
please address the appropriate (local) CERT/security-team).
CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).
Email: cert-nl@surfnet.nl ATTENDED REGULARLY ALL DAYS
Phone: +31 302 305 305 BUSINESS HOURS ONLY
Fax: +31 302 305 329 BUSINESS HOURS ONLY
Snailmail: SURFnet bv
Attn. CERT-NL
P.O. Box 19035
NL - 3501 DA UTRECHT
The Netherlands
NOODGEVALLEN: 06 22 92 35 64 ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 22 92 35 64 ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.
===============================================================================
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i
iQA/AwUBOL6IDTSYjBqwfc9jEQInlACfWFRtGk8r5VM52nw3cNxT/lVmSh0AoNkW
3Px6q0BZAUWWA435DBsi2hfr
=VrNZ
-----END PGP SIGNATURE-----