From proff  Wed Jul  3 03:13:09 1996
Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id DAA03574 for best-of-security; Wed, 3 Jul 1996 03:13:08 +1000
Received: from brimstone.netspace.org ([128.148.157.143]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id CAA02123 for <proff@SUBURBIA.NET>; Wed, 3 Jul 1996 02:14:21 +1000
Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with ESMTP id <23324-26847>; Tue, 2 Jul 1996 12:12:09 -0500
Received: from netspace.org (netspace [128.148.157.6]) by netspace.org (8.7/8.6.12) with SMTP id MAA27239; Tue, 2 Jul 1996 12:09:34 -0400
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8b) with
          spool id 125307 for BUGTRAQ@NETSPACE.ORG; Tue, 2 Jul 1996 11:52:07
          -0400
Received: from netspace.org (netspace [128.148.157.6]) by netspace.org
          (8.7/8.6.12) with SMTP id LAA25912 for <BUGTRAQ@NETSPACE.ORG>; Tue, 2
          Jul 1996 11:51:13 -0400
Approved-By: ALEPH1@UNDERGROUND.ORG
Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by netspace.org
          (8.7/8.6.12) with SMTP id EAA18044 for <BUGTRAQ@netspace.org>; Tue, 2
          Jul 1996 04:01:09 -0400
Received: by mercury.Sun.COM (Sun.COM) id BAA00531; Tue, 2 Jul 1996 01:01:08
          -0700
Received: from Holland.Sun.COM by sunmail1.Sun.COM (SMI-8.6/SMI-4.1) id
          BAA04125; Tue, 2 Jul 1996 01:01:05 -0700
Received: from albano by Holland.Sun.COM (4.1/SMI-4.1-sd.fkk2004) id AA09852;
          Tue, 2 Jul 96 10:00:59 +0200
Received: from holland (room101) by albano (5.0/SMI-SVR4-se.fkk110) id AA12859;
          Tue, 2 Jul 1996 10:00:57 +0200
Approved-By:  Casper Dik <casper@HOLLAND.SUN.COM>
Message-ID: <9607020800.AA12859@albano>
Date: 	Tue, 2 Jul 1996 10:00:57 +0200
Reply-To: Bugtraq List <BUGTRAQ@netspace.org>
Sender: proff
From: Casper Dik <casper@holland.Sun.COM>
Subject:      Re: Solaris mailx hole
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To:  Your message of "Tue, 02 Jul 1996 01:08:49 EDT."
              <Pine.SUN.3.91.960702005934.18788A-100000@bigdog.fred.net>

>It's a very very old hole in /bin/mail that allows race conditions in
>which .rhosts files can be created...
>
>I would have thought this was fixed by 2.5, but it wasn't. My boss just a
>few minutes ago exploited it on a sol2.5 machine.


Very interesting.

In Solaris 2.5,

        /usr/bin/mail is set-gid mail, not set-uid root
        /usr/bin/mailx is set-gid mail, not set-uid root
        /usr/lib/sendmail doesn't use /bin/mail for the delivery of
        mail, it uses /usr/lib/mail.local


If there's a problem I really want to get it fixed, but considering that
mail delivery uses an entirely different program in Solaris 2.5, I find
it hard to believe that the 8lgm exploit still works.

Even in Solaris 2.3 with patches all I get is bounced mail with:

mail: '/var/mail/root' must be regular or character special file with no links

or no output at all.

(this is with /bin/mail patch 101574-04 but the readme doesn't list any
security fixes)


Casper