-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
CERT(sm) Advisory CA-95:02
Original issue date: January 26, 1995
Last revised: November 21, 1996
              Removed Appendices B and C. Updated Sec. B, par. 3 with the
               location of the current mail.local.

              A complete revision history is at the end of this file.

Topic: Vulnerabilities in /bin/mail
- -----------------------------------------------------------------------------

            *** This advisory supersedes CA-91:01a and CA-91:13. ***

There are vulnerabilities in some versions of /bin/mail. Section III below
provides vendor-specific information and an alternative to /bin/mail.

We will update this advisory as we receive additional information.
Please check advisory files regularly for updates that relate to your site.
- -----------------------------------------------------------------------------

I.   Description

     Some versions of /bin/mail based on BSD 4.3 UNIX are vulnerable
     because of timing windows in the way /bin/mail uses publicly writable
     directories.

II.  Impact

     Local users (users that have an account on the system) can create
     or modify root-owned files on the system and can thereby gain
     unauthorized root access.

III. Solutions

     Either install a patch from your vendor or replace /bin/mail with
     mail.local.

     A.  Obtain the appropriate patch from your vendor and install it
         according to the instructions included with the patch.

         Below is a summary of the vendors listed in Appendix A of this
         advisory and the information they have provided. If your vendor's
         name is not on this list, please contact the vendor directly.

         Vendor or Source                   Status
         ----------------                   ------------
         Apple Computer, Inc.               not vulnerable
         Berkeley SW Design, Inc. (BSDI)    not vulnerable
         Data General Corp.                 not vulnerable
         Digital Equipment Corp.            vulnerable, patches available
         FreeBSD                            not vulnerable
         Harris                             not vulnerable
         IBM                                not vulnerable
         NetBSD                             not vulnerable
         NeXT, Inc.                         not vulnerable
         Pyramid                            not vulnerable
         The Santa Cruz Operation (SCO)     see note in Appendix A
         Solbourne (Grumman)                vulnerable - contact vendor
         Sun Microsystems, Inc.             SunOS 4.x vulnerable, patches
                                              available, patch revisions
                                              coming soon
                                            Solaris 2.x not vulnerable

     B. Replace /bin/mail with mail.local.

        If you cannot obtain a vendor-supplied replacement for /bin/mail, the
        CERT Coordination Center recommends using mail.local as a replacement
        for /bin/mail.

        Although the current version of mail.local is not a perfect solution,
        it addresses the vulnerabilities currently being exploited in
        /bin/mail.

        mail.local is now provided with the lastest version of sendmail.
        That version can be found at

        ftp://info.cert.org/pub/tools/sendmail/sendmail-latest*


        The original version of mail.local has been tested on SunOS 4.1
        and Ultrix 4.X systems.

        Mail.local.c for BSD 4.3 systems, along with a README file containing
        installation instructions, can be found on the anonymous FTP servers
        listed below.

        Location
        --------
        ftp://info.cert.org/pub/tools/mail.local/mail.local.c
        MD5  c0d64e740b42f6dc5cc54a2bc37c31b0

        ftp://coast.cs.purdue.edu/pub/tools/unix/mail.local/mail.local.c
        MD5  c0d64e740b42f6dc5cc54a2bc37c31b0

...............................................................................

Appendix A: Vendor Information

Below is information we have received from vendors who have patches available
or upcoming for the vulnerabilities described in this advisory, as well as
vendors who have confirmed that their products are not vulnerable. If your
vendor's name is not in one of these lists, contact the vendor directly for
information on whether their version of sendmail is vulnerable and, if so, the
status of patches to address the vulnerabilities.

NOT VULNERABLE
- --------------
The following vendors have reported that their products are NOT vulnerable.
         Apple Computer, Inc.
         Berkeley SW Design, Inc. (BSDI)
         Data General Corp.
         Harris
         IBM
         NeXT, Inc.
         Pyramid
         The Santa Cruz Operation (SCO) - not vulnerable, but see note below
         Sun Microsystems, Inc. - Solaris 2.x (SunOS 4.x is vulnerable; see
                                               below)

In addition, we have reports that the following products are NOT vulnerable.
         FreeBSD
         NetBSD

VULNERABLE
- ----------
We have reports that the following vendors' products ARE vulnerable.
Patch information is provided below.

- -----------------------------
Digital Equipment Corporation

Vulnerable:  DEC OSF/1 versions 1.2, 1.3, and 2.0
             DEC ULTRIX versions 4.3, 4.3A, and 4.4

Obtain and install the appropriate patch according to the instructions
included with the patch. The patch that corrects the /bin/mail problem in each
case is part of a comprehensive Security Enhanced Kit that addresses other
problems as well. This kit has been available since May 17, 1994. It is
described in DEC security advisory #0505 and in CERT bulletin VB-94:02.

        1. DEC OSF/1
           Upgrade/install OSF/1 to a minimum of V2.0 and
           install Security Enhanced Kit CSCPAT_4061 v1.0.

        2. DEC ULTRIX
           Upgrade/install ULTRIX to a minimum of V4.4 and
           install Security Enhanced Kit CSCPAT_4060 v1.0.

Both kits listed above are available from Digital Equipment Corporation by
contacting your normal Digital support channel or by request via DSNlink for
electronic transfer.

- -----------------------------
The Santa Cruz Operation (SCO)

SCO's version of /bin/mail is not vulnerable to the problems mentioned
in this advisory. SCO's /bin/mail is not setuid-root. However, SCO's
/bin/mail has other security-related issues that are fixed by SCO's
Support Level Supplement (SLS) uod392a. To get this:

ftp:    ftp.sco.COM:/SLS/uod392a.Z      (compressed disk image)
        ftp.sco.COM:/SLS/uod392a.ltr.Z  (cover letter)
        ftp.sco.COM:/SLS/README

- -----------------------------
Solbourne

Grumman System Support Corporation now performs all Solbourne
software and hardware support. Please contact them for further
information.

        ftp: ftp.nts.gssc.com
        phone: 1-800-447-2861
        e-mail: support@nts.gssc.com

- -----------------------------
Sun Microsystems, Inc.

Current patches are listed below:

        SunOS      Patch              MD5 Checksum
        ------     -----              ------------
        4.1.3      100224-13.tar.Z    90a507017a1a40c4622b3f1f00ce5d2d
        4.1.3U1    101436-08.tar.Z    0e64560edc61eb4b3da81a932e8b11e1

        The patches can be obtained from local Sun Answer Centers and
        through anonymous FTP from ftp.uu.net in the /systems/sun/sun-dist
        directory. In Europe, the patches are available from mcsun.eu.net
        in the /sun/fixes directory.


- ---------------------------------------------------------------------------
The CERT Coordination Center thanks Eric Allman, Wolfgang Ley, Karl
Strickland, Wietse Venema, and Neil Woods for their contributions to
mail.local.
- ---------------------------------------------------------------------------

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in Forum of Incident
Response and Security Teams (FIRST).

If you wish to send sensitive incident or vulnerability information to
CERT staff by electronic mail, we strongly advise that the e-mail be
encrypted.  The CERT Coordination Center can support a shared DES key, PGP
(public key available via anonymous FTP on info.cert.org), or PEM (contact
CERT staff for details).

Internet E-mail: cert@cert.org
Telephone: +1 412-268-7090 (24-hour hotline)
           CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),
           and are on call for emergencies during other hours.
Fax: +1 412-268-6989

CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890
USA

Past advisories, CERT bulletins, information about FIRST representatives,
and other information related to computer security are available for anonymous
FTP from info.cert.org.

Copyright 1995, 1996 Carnegie Mellon University
This material may be reproduced and distributed without permission provided
it is used for noncommercial purposes and the copyright statement is
included.

CERT is a service mark of Carnegie Mellon University.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision history

Nov. 21, 1996  Removed Appendices B & C.
               Sec. B, paragraph 3 - updated information about the location
                 of mail.local.
Aug. 30, 1996  Information previously in the README was inserted
                into the advisory, and URL formats were updated.
June 09, 1995  Appendix A - corrected patch information from Sun.











-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMpSBxXVP+x0t4w7BAQHMUQP8DniFFLMKtR9w1j1NFE8DkoNIaAecAOye
eSuLcAWPAhMeQzyerjvf1cAyMks38alz1YSnZHVDHab6boKIVt0CHfnBNlhU338X
Rux9ID/dmfdl1JHWajDq7tSlPvAAeun99qd/4wYfmPyPSGU11NoNhbpH3QZvbNL3
1J+Xt/5Pcjc=
=iHrV
-----END PGP SIGNATURE-----