COMMAND
/usr/bin/rmail
SYSTEMS AFFECTED
IRIX 3.x, 4.x, 5.x.x, 6.0.x, 6.1, 6.2, 6.3, 6.4, 6.5, 6.5.1m
PROBLEM
/usr/bin/rmail is sgid mail. Man page clearly says rmail is only
required by UUCP, still, it's installed everywhere. It's also
been known to have bugs for years, which SGI has addressed by a
series of patches. Quite unfortunately, all of them fail to fix
the problem completely, including the most recent one, 1639 (for
6.2, it has brothers for other releases). It's a small and
simple program, it just passes slightly modified message from
stdin to sendmail, as usually via virtue of system().
To exploit, set LOGNAME env to something like:
blah;mycommand
Credit for this goes to Yuri Volobuev.
SOLUTION
Fortunately, it syslogs all invocations of itself, so at least
you'll know when someone is doing something bad. Remove sgid bit
from it. Patches are:
OS Version Patch # Other Actions
---------- ------- -------------
IRIX 3.x not avail Note 1, 2 & 3
IRIX 4.x not avail Note 1, 2 & 3
IRIX 5.0.x not avail Note 1, 2 & 3
IRIX 5.1.x not avail Note 1, 2 & 3
IRIX 5.2 not avail Note 1, 2 & 3
IRIX 5.3 3347
IRIX 6.0.x not avail Note 1, 2 & 3
IRIX 6.1 not avail Note 1, 2 & 3
IRIX 6.2 3348
IRIX 6.3 3394
IRIX 6.4 3394
IRIX 6.5 not avail Note 4
IRIX 6.5.1m 3393 Note 5
NOTES
1) Upgrade to currently supported IRIX operating system.
2) Change permissions.
3) Unsupported by SGI, "freeware" sendmail distributions can be
found at http://www.sendmail.org/
4) For IRIX 6.5, you must first install IRIX 6.5.1 Maintenance
Release and then install patch 3393. If you have not received
an IRIX 6.5.1m CD for IRIX 6.5, contact your SGI Support
Provider or download the Maintenance Release from
http://support.sgi.com/
5) Patchsets have been replaced with quarterly Maintenance
Releases Streams starting with IRIX 6.5. Information about
Maintenance Release Streams can be found in the IRIX 6.5
Technical Brief at: http://www.sgi.com/software/irix6.5/