exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

b-02.ciac-silicon-graphics-mail

b-02.ciac-silicon-graphics-mail
Posted Sep 23, 1999

b-02.ciac-silicon-graphics-mail

SHA-256 | ff4545c7f4dec6e88665b88708c00de396b4a60255c16127b9ffa0d0024f5f7b

b-02.ciac-silicon-graphics-mail

Change Mirror Download

_____________________________________________________
The Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________
Informational Bulletin

UNIX Security Problem with Silicon Graphics Mail

October 12, 1990, 0800 PST Number B-2

CIAC has been learned of a security problem with the Berkeley Mailer
supplied by Silicon Graphics. The program /usr/sbin/Mail on IRIX 3.3
and later releases sets the setgid bit. This allows users to read any
mail on the system, including mail to root.

To determine if your system has this problem you should execute:

ls -l /usr/sbin/Mail

A line similar to the following should be displayed:

-rwxr-sr-x 1 bin mail 172080 Jun 7 15:05 /usr/sbin/Mail

Look at the permission bits. If you see, "-rwxr-sr-x" then the
problem exists on your system.

There are several potential solutions for this problem.

Alternative 1 - Workaround

Execute the following command as root:

chmod 755 /usr/sbin/Mail

Then after doing a ls -l you should see:

-rwxr-xr-x 1 bin mail 172080 Jun 7 15:05 /usr/sbin/Mail

This workaround has one known side effect. The Mail program can no
longer remove the user's mail file from /usr/mail when all messages
have been deleted. Instead, it leaves a zero length file.

If you choose this solution, please be aware that the fixed binary will
be available in the next release of IRIX (3.3.2, currently scheduled
for November, 1990).

Alternative 2 - Obtain and install the fixed binary

A better solution is to download the fixed binary from sgi.com.
Silicon Graphics has made a new executable available to fix this
problem. It is available for anonymous ftp from sgi.com, or from your
local Silicon Graphics sales representative. Contact the SGI hotline
for more information. (The bug number is alpha bug AF19315).

If you are not certain how to ftp to sgi.com and properly install the
binary, use the following commands:

cd /usr/sbin - The directory that
Mail is in
chmod 755 /usr/sbin/Mail - Remove the setgid bit
mv /usr/sbin/Mail /usr/sbin/Mail.org - Rename Mail
ftp 192.48.153.1 - ftp to sgi.com and
get the new binary,
name: anonymous - login as anonymous
password: guest - password guest
ftp> bin - Set binary mode
ftp> cd sgi/Mail - The Mail directory
ftp> get Mail - Get the new binary
ftp> quit - quit ftp
chmod 2755 Mail - Make sure
permissions are correct
chgrp mail Mail - Make sure group is
correct
chown bin Mail - Make sure owner is
correct

For additional information or assistance, please contact CIAC

David Brown
(415) 423-9878 or (FTS) 543-9878

FAX: (415) 423-0913 or (FTS) 543-0913

or send e-mail to:

ciac@tiger.llnl.gov

The assistance of Kevin E. Leininger and Matt Wicks of Fermi National
Accelerator Laboratory and Chuck Athey and Ross Guant of Lawrence
Livermore National Laboratory is gratefully acknowledged. Neither the
United States Government nor the University of California nor any of
their employees, makes any warranty, expressed or implied, or assumes
any legal liability or responsibility for the accuracy, completeness,
or usefulness of any information, product, or process disclosed, or
represents that its use would not infringe privately owned rights.
Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or
favoring by the United States Government or the University of
California. The views and opinions of authors expressed herein do not
necessarily state or reflect those of the United States Government nor
the University of California, and shall not be used for advertising or
product endorsement purposes.

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close