-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =============================================================================== >> CERT-NL, 01-Mar-2000 << >> All CERT-NL information has been moved to http://cert.surfnet.nl. Links << >> to CERT-NL information contained in this advisory are therefore outdated. << >> << >> CERT-NL also has stopped the CERT-CC-Mirror service. Due to this the << >> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the << >> complete CERT-CC advisory texts: http://www.cert.org << =============================================================================== =============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : Gert Meijerink & Don Stikvoort Index : S-95-05 Distribution : World Page : 1 Classification: External Version: Final Subject : /bin/mail vulnerabilities Date : 30-Jan-95 =============================================================================== By courtesy of CERT/CC we received the following information about vulnerabilities in /bin/mail. It is an updated version of CERT Advisory CA-95:02 of January 26, 1995. We advise you to take very good notice if this applies to your situation, and take relevant steps. However we do warn you that the current fix has some flaws, which are addressed in the following disclaimer, for which we thankfully acknowledge Gene Spafford of the Purdue CERT. - -- Start disclaimer We encourage local site admins to read this advisory. Note, however, that the version of mail.local distributed by the CERT may not be appropriate to install on your system for the following reasons: * it does not compile properly on every version of Unix where you may be running sendmail and need to apply it. If it does not compile without error, be very careful about making changes to get it to compile -- the code uses some features that may not be fully portable. Changes to this code should be made with great care so as not to introduce new vulnerabilities. * there is a known flaw in the code that may allow users to corrupt the disk if they can write to /usr/spool/mail. If your mail spool directory is mode 1777, this flaw may be exploited and you probably should not install this code without carefully weighing the risk. Also note that the code assumes your mail spool directory is located in /var/spool, and this is not the case on many machines. The definition in the code may need to be changed. - -- End disclaimer In spite of this disclaimer however CERT-NL felt it necessary to not longer delay the publication of this advisory. Any improvements to the fix will be made available immediately through our infoserver - details see below. =============================================================================== There are vulnerabilities in some versions of /bin/mail. Section III below provides vendor-specific information and an alternative to /bin/mail. As we receive additional information relating to this advisory, it will be placed, along with any clarifications, in an S-95-05.APPENDIX file available under: ftp://ftp.nic.surfnet.nl/surfnet/net-security/cert-nl/docs/bulletin The first version of this APPENDIX is distributed at the same time as this advisory. Later versions will as a rule NOT be actively distributed by CERT-NL: so please check regularly if you deem this necessary. - ----------------------------------------------------------------------------- I. Description Some versions of /bin/mail based on BSD 4.3 UNIX are vulnerable because of timing windows (a.k.a. race conditions) in the way /bin/mail uses publicly writable directories. II. Impact Local users (users that have an account on the system) can create or modify root-owned files on the system and can thereby gain unauthorized root access. III. Solutions Either install a patch from your vendor or replace /bin/mail with mail.local . A. Obtain the appropriate patch from your vendor and install it according to the instructions included with the patch. Below is a summary of the vendors listed in the current version of the S-95-05.APPENDIX file, and the status they have provided. More complete information, including how to obtain patches, is provided in the APPENDIX file itself, which will be updated as more information from vendors is received. If your vendor's name is not on this list, please contact the vendor directly. {Note by courtesy of CIAC: Cray entry added --CERT-NL} Vendor or Source Status ---------------- ------------ Apple Computer, Inc. not vulnerable Berkeley SW Design, Inc. (BSDI) not vulnerable Cray Research, Inc not vulnerable Data General Corp. not vulnerable Digital Equipment Corp. vulnerable, patches available FreeBSD not vulnerable Harris not vulnerable IBM not vulnerable NetBSD not vulnerable NeXT, Inc. not vulnerable Pyramid not vulnerable The Santa Cruz Operation (SCO) see note in Appendix A Solbourne (Grumman) vulnerable - contact vendor Sun Microsystems, Inc. SunOS 4.x vulnerable, patches available, patch revisions coming soon Solaris 2.x not vulnerable {Note by courtesy of DFN CERT: if the patch 102042-01 for SunOS 5.4 (Solaris 2.4) for "backward compatibility of /bin/mail to 4.x versions" will make the /bin/mail program vulnerable is not clear --CERT-NL} B. Replace /bin/mail with mail.local. If you cannot obtain a vendor-supplied replacement for /bin/mail, using mail.local as a replacement for /bin/mail is recommended. Although the current version of mail.local is not a perfect solution, it addresses the vulnerabilities currently being exploited in /bin/mail. As improvements to mail.local become available, they will be noted in the README file associated with mail.local . The current version of mail.local has been tested on SunOS 4.1 and Ultrix 4.X systems. Mail.local.c for BSD 4.3 systems, along with its README file containing installation instructions, can be found under:. ftp://ftp.nic.surfnet.nl/surfnet/net-security/cert-nl/patches/mail.local MD5 checkusm for mail.local.c = c0d64e740b42f6dc5cc54a2bc37c31b0 - --------------------------------------------------------------------------- The CERT Coordination Center thanks Eric Allman, Wolfgang Ley, Karl Strickland, Wietse Venema, and Neil Woods for their contributions to mail.local. - --------------------------------------------------------------------------- ============================================================================== CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet is the Dutch network for educational, research and related institutes. CERT-NL is a member of the Forum of Incident Response and Security Teams (FIRST). All CERT-NL material is available under: http://cert.surfnet.nl/ In case of computer or network security problems please contact your local CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer please address the appropriate (local) CERT/security-team). CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer, i.e. UTC+0100 in winter and UTC+0200 in summer (DST). Email: cert-nl@surfnet.nl ATTENDED REGULARLY ALL DAYS Phone: +31 302 305 305 BUSINESS HOURS ONLY Fax: +31 302 305 329 BUSINESS HOURS ONLY Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands NOODGEVALLEN: 06 22 92 35 64 ALTIJD BEREIKBAAR EMERGENCIES : +31 6 22 92 35 64 ATTENDED AT ALL TIMES CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES: THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED* PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU. =============================================================================== -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1i iQA/AwUBOL6IDTSYjBqwfc9jEQInlACfWFRtGk8r5VM52nw3cNxT/lVmSh0AoNkW 3Px6q0BZAUWWA435DBsi2hfr =VrNZ -----END PGP SIGNATURE-----