*********************************************************************** DDN Security Bulletin 9102 DCA DDN Defense Communications System 25 Feb 91 Published by: DDN Security Coordination Center OBSOLETES DDN Sec. Bull. 9101 (SCC@NIC.DDN.MIL) (800) 235-3155 DEFENSE DATA NETWORK SECURITY BULLETIN The DDN SECURITY BULLETIN is distributed by the DDN SCC (Security Coordination Center) under DCA contract as a means of communicating information on network and host security exposures, fixes, & concerns to security & management personnel at DDN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.67.67.20] using login="anonymous" and password="guest". The bulletin pathname is SCC:DDN-SECURITY-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. SCC:DDN-SECURITY-9001). ********************************************************************** REVISED SunOS /bin/mail Vulnerability + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Computer ! ! Emergency Response Team (CERT) and is being relayed unedited ! ! via the Defense Communications Agency's Security Coordination ! ! Center distribution system as a means of providing DDN ! ! subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + CA-91:01a CERT Advisory February 22, 1991 REVISED SunOS /bin/mail Vulnerability ------------------------------------------------------------------------- *** THIS IS A REVISED CERT ADVISORY *** The Computer Emergency Response Team/Coordination Center (CERT/CC) has received the following information from Sun Microsystems, Inc. (Sun). Sun has given the CERT/CC permission to distribute their Security Bulletin. It contains information regarding a fix for a vulnerability in SunOS 4.0.3, SunOS 4.1 and SunOS 4.1.1. An important piece of information was missing from the Sun Security Bulletin #00105 which was included in the CA-91:01 CERT Advisory on this same subject. After the old /bin/mail has been renamed, it is important to remove the setuid root bit. Sun also suggests that the protection bits on the new /bin/mail to be set to 4111 instead of 4755. The CERT/CC advises that the /bin/mail.old file be removed once the new /bin/mail is in place and verified that it is functioning correctly. This is from the original Sun Security Bulletin #00105: AS ROOT: # mv /bin/mail to /bin/mail.old # cp $arch/$os/mail to /bin/mail (where $arch is either sun3 sun4 sun4c or sun3x) (and where $os is either 4.0.3 4.1 or 4.1.1) ( change the permissions for the newly installed mail) # chmod 4755 /bin/mail In CERT's opinion, the CERT Advisory should have the following information. AS ROOT: # mv /bin/mail to /bin/mail.old new-> # chmod 400 /bin/mail.old # cp $arch/$os/mail to /bin/mail (where $arch is either sun3 sun4 sun4c or sun3x) (and where $os is either 4.0.3 4.1 or 4.1.1) ( change the permissions for the newly installed mail) updated -> # chmod 4111 /bin/mail The complete Sun Security Bulletin #00105 is being resent including the CERT/CC changes. For more information, please contact Sun Microsystems at 1-800-USA-4SUN. ------------------------------------------------------------------------- SUN MICROSYSTEMS SECURITY BULLETIN: #00105 This information is only to be used for the purpose of alerting customers to problems. Any other use or re-broadcast of this information without the express written consent of Sun Microsystems shall be prohibited. Sun expressly disclaims all liability for any misuse of this information by any third party. ============================================================================ All of these patches are available through your local Sun answer centers worldwide. As well as through anonymous ftp to ftp.uu.net in the ~ftp/sun-dist directory. Please refer to the Sun BugID and PatchID when requesting patches from Sun answer centers. NO README information will be posted in the patch on UUNET. Please refer the the information below for patch installation instructions. ============================================================================ Sun Bug ID : 1047340 Synopsis : /bin/mail can be caused to invoke a root shell if given the (im)proper arguments. Sun Patch ID: 100224-01 Checksum of compressed tarfile 100224-01.tar.Z = 64102 109 ============================================================================ Patch-ID# 100224-01 Keywords: mail, delivery, /bin/mail, 4.1, sendmail Synopsis: SunOS 4.1.1, 4.1, 4.0.3: program "mail" problem in delivering mail + security enhancement Date: 15 Jan 1990 SunOS release: 4.0.3 4.1 4.1.1 Topic: /bin/mail delivering fix BugId's fixed with this patch: 1045636 1047340 Architectures for which this patch is available: sun3, sun3x, sun4, sun4c, sun4/490_4.1_PSR_A. Patches which may conflict with this patch: 100161-01. This patch obsoletes patch 100161-01 since this patch incorporates 100161-01 fixes plus the new fixes. Obsoleted by: SysV Release 4 Problem Description: Bug ID: 1045636 /bin/mail is the local delivery agent for sendmail. In some particular instance, /bin/mail parse its argument incorrectly and therefore, mail are being drop into the bit bucket... If you have users that has "f" has the second character, you might want to try the following: (substitute "af" with anyuser with "f" as second character) From any machine except mailhost: /bin/lib/sendmail -t -v <