CERT
 
US-CERT Vulnerability Notes Database CERT Statistics Vulnerability Disclosure Policy CERT Knowledgebase Courses Link to US-CERT cylab
 

CERT® Advisory CA-1995-02 Vulnerabilities in /bin/mail

Original issue date: January 26, 1995
Last revised: September 23, 1997
Updated Copyright statement

A complete revision history is at the end of this file. This advisory supersedes CA-91.01a and CA-91.13.

There are vulnerabilities in some versions of /bin/mail. Section III below provides vendor-specific information and an alternative to /bin/mail.

We will update this advisory as we receive additional information. Please check advisory files regularly for updates that relate to your site.

I. Description

Some versions of /bin/mail based on BSD 4.3 UNIX are vulnerable because of timing windows in the way /bin/mail uses publicly writable directories.

II. Impact

Local users (users that have an account on the system) can create or modify root-owned files on the system and can thereby gain unauthorized root access.

III. Solutions

Either install a patch from your vendor or replace /bin/mail with mail.local.

A. Obtain the appropriate patch from your vendor and install it according to the instructions included with the patch.

Below is a summary of the vendors listed in Appendix A of this advisory and the information they have provided. If your vendor's name is not on this list, please contact the vendor directly.

Vendor or SourceStatus
Apple Computer, Inc.not vulnerable
Berkeley SW Design, Inc. (BSDI)not vulnerable
Data General Corp.not vulnerable
Digital Equipment Corp.vulnerable, patches available
Free BSDnot vulnerable
Harrisnot vulnerable
IBMnot vulnerable
NetBSDnot vulnerable
NeXT, Inc.not vulnerable
Pyramidnot vulnerable
The Santa Cruz Operation (SCO)see note in Appendix A
Solbourne (Grumman)vulnerable - contact vendor
Sun Microsystems, Inc.SunOS 4.x vulnerable, patches available,
patch revisions coming soon
Solaris 2.x not vulnerable

B. Replace /bin/mail with mail.local.

If you cannot obtain a vendor-supplied replacement for /bin/mail, the CERT Coordination Center recommends using mail.local as a replacement for /bin/mail.

Although the current version of mail.local is not a perfect solution, it addresses the vulnerabilities currently being exploited in /bin/mail.

mail.local is now provided with the lastest version of sendmail. That version can be found at

ftp://ftp.cert.org/pub/tools/sendmail/sendmail-latest*

The original version of mail.local has been tested on SunOS 4.1 and Ultrix 4.X systems.

Mail.local.c for BSD 4.3 systems, along with a README file containing installation instructions, can be found on the anonymous FTP servers listed below.

Location

ftp://ftp.cert.org/pub/tools/mail.local/mail.local.c
MD5 c0d64e740b42f6dc5cc54a2bc37c31b0

ftp://coast.cs.purdue.edu/pub/tools/unix/mail.local/mail.local.c
MD5 c0d64e740b42f6dc5cc54a2bc37c31b0

Appendix A: Vendor Information

Below is information we have received from vendors who have patches available or upcoming for the vulnerabilities described in this advisory, as well as vendors who have confirmed that their products are not vulnerable. If your vendor's name is not in one of these lists, contact the vendor directly for information on whether their version of sendmail is vulnerable and, if so, the status of patches to address the vulnerabilities.

NOT VULNERABLE

The following vendors have reported that their products are NOT vulnerable.
    Apple Computer, Inc.
    Berkeley SW Design, Inc. (BSDI)
    Data General Corp.
    Harris
    IBM
    NeXT, Inc.
    Pyramid
    The Santa Cruz Operation (SCO) - not vulnerable, but see note below
    Sun Microsystems, Inc. - Solaris 2.x (SunOS 4.x is vulnerable; see below)
In addition, we have reports that the following products are NOT vulnerable.
    FreeBSD
    NetBSD

VULNERABLE

We have reports that the following vendors' products ARE vulnerable. Patch information is provided below.

Digital Equipment Corporation

Vulnerable:DEC OSF/1 versions 1.2, 1.3, and 2.0
DEC ULTRIX versions 4.3, 4.3A, and 4.4

Obtain and install the appropriate patch according to the instructions included with the patch. The patch that corrects the /bin/mail problem in each case is part of a comprehensive Security Enhanced Kit that addresses other problems as well. This kit has been available since May 17, 1994. It is described in DEC security advisory #0505 and in CERT bulletin VB-94:02.

  1. DEC OSF/1
    Upgrade/install OSF/1 to a minimum of V2.0 and install Security Enhanced Kit CSCPAT_4061 v1.0.

  2. DEC ULTRIX
    Upgrade/install ULTRIX to a minimum of V4.4 and install Security Enhanced Kit CSCPAT_4060 v1.0.

Both kits listed above are available from Digital Equipment Corporation by contacting your normal Digital support channel or by request via DSNlink for electronic transfer.

The Santa Cruz Operation (SCO)

SCO's version of /bin/mail is not vulnerable to the problems mentioned in this advisory. SCO's /bin/mail is not setuid-root. However, SCO's /bin/mail has other security-related issues that are fixed by SCO's Support Level Supplement (SLS) uod392a. To get this:

ftp: ftp.sco.COM:/SLS/uod392a.Z (compressed disk image)
ftp.sco.COM:/SLS/uod392a.ltr.Z(cover letter)
ftp.sco.COM:/SLS/README

Solbourne

Grumman System Support Corporation now performs all Solbourne software and hardware support. Please contact them for further information.

ftp: ftp.nts.gssc.com
phone: 1-800-447-2861
e-mail: support@nts.gssc.com

Sun Microsystems, Inc.

Current patches are listed below:

SunOSPatchMD5 Checksum
4.1.3100224-13.tar.Z90a507017a1a40c4622b3f1f00ce5d2d
4.1.3U1101436-08.tar.Z0e64560edc61eb4b3da81a932e8b11e1

The patches can be obtained from local Sun Answer Centers and through anonymous FTP from ftp.uu.net in the /systems/sun/sun-dist directory. In Europe, the patches are available from mcsun.eu.net in the /sun/fixes directory.

The CERT Coordination Center thanks Eric Allman, Wolfgang Ley, Karl Strickland, Wietse Venema, and Neil Woods for their contributions to mail.local.

This document is available from: http://www.cert.org/advisories/CA-1995-02.html

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.

Conditions for use, disclaimers, and sponsorship information

Copyright 1995, 1996 Carnegie Mellon University.

Revision History 
Sep. 23 1997   Updated Copyright statement
Nov. 21, 1996  Removed Appendices B & C.
               Sec. B, paragraph 3 - updated information about the location
               of mail.local.
Aug. 30, 1996  Information previously in the README was inserted
               into the advisory, and URL formats were updated.
June 09, 1995  Appendix A - corrected patch information from Sun.