Brief Description: expreserve(8) uses popen(3) to execute mail(8). It doesn't properly restrict the IFS variable.
Detailed Description: vi(1) is a text editor available on most versions of the UNIX operating system. When it receives a hangup signal (signal 1), or the user uses the preserve command from within the editor, vi executes the expreserve command. expreserve preserves the file being edited so that the session can be restarted with minimal loss of editing. In order to put the data into a protected directory, expreserve is setuid to root. expreserve uses popen to execute mail to send a letter informing the user of its completion status. expreserve does not reset the environment variable IFS to a safe state before it calls popen.
Component(s): vi ex3.7expreserve popen sh
Version(s): those distributed with the named operating systems
Operating System(s): SunOS 4.1.3 and earlier (trusted source); Solaris 2.2 and earlier (trusted source).
Other Information: A user account is required.
Effects:Access to the account of the owner of expreserve
Detecting the Vulnerability:
* Compare versions with those listed in "Vulnerable Systems." If it matches any of those, you are vulnerable.
* Replace mail with a shell script or program that prints the current value of IFS. Add the character / to the value of the IFS variable. Run vi, execute the "preserve" command, and see if the value of IFS in your current environment is printed. If so, you have the vulnerability.
Fixing the Vulnerability:
* Upgrade to a newer version.
* For SunOS 4 systems, apply Sun patch 101080-01.
* If you have the source code, clean out the environment before calling popen.
* Make the directory in which expreserve stores its saved data world writable, and turn off the setuid bit.
Keywords:vi, expreserve, popen, sh, IFS
Attack Methods or Tools: Not provided.
Advisories and Other Alerts: Sun Advisory 00120
Related Vulnerabilities: none.
First Report We Know Of: by Peter Shipley
Revisions of Database Record
1. Matt Bishop(Jan. 31, 1999): Entered into DOVES.
2. Mike Dilger(original): Entered into original database.