Re: local root compromise in openbsd 3.0 and below

From: Manuel Bouyer (bouyerat_private)
Date: Sun Apr 14 2002 - 05:12:04 PDT

Next message: Brett Glass: "Re: local root compromise in openbsd 3.0 and below"

Previous message: Michael Rawls: "Nortel CVX 1800s will dump all local user names and passwords via SNMP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Apr 12, 2002 at 09:25:54PM -0600, Brett Glass wrote:
> At 01:25 PM 4/12/2002, Manuel Bouyer wrote:
> 
> >NetBSD isn't vulnerable either.
> 
> What about Solaris? Its /bin/mail does not appear to have the -I
> option.

From my 2.7 install, it seems that /bin/mail desn't have any shell-escape
caracters. However /usr/ucb/mail seems to be vulnerable.

But for this to be exploited, there needs to be a /usr/ucb/mail command run
by root, using input which can be influenced in some way by non-root user.
I don't think there's any in the base distrib but could be probably found
in third-party scripts. It would be best if /usr/ucb/mail was fixed to not
accept shell escapes from non-tty inputs.

-- 
Manuel Bouyer <bouyerat_private>
--

Next message: Brett Glass: "Re: local root compromise in openbsd 3.0 and below"
Previous message: Michael Rawls: "Nortel CVX 1800s will dump all local user names and passwords via SNMP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Apr 15 2002 - 15:16:45 PDT