Brief Description: expreserve(8) uses popen(3) to execute mail(8). It doesn't properly restrict the PATH variable.
Detailed Description: vi(1) is a text editor available on most versions of the UNIX operating system. When it receives a hangup signal (signal 1), or the user uses the preserve command from within the editor, vi executes the expreserve command. expreserve preserves the file being edited so that the session can be restarted with minimal loss of editing. In order to put the data into a protected directory, expreserve is setuid to root. expreserve uses popen to execute mail to send a letter informing the user of its completion status. expreserve does not reset the environment variable PATH to a safe state before it calls popen.
Component(s): vi ex3.7expreserve popen sh
Version(s): those distributed with the named operating systems
Operating System(s): SunOS 4.1.3 and earlier (trusted source); Solaris 2.2 and earlier (trusted source).
Other Information: A user account is required.
Effects:Access to the account of the owner of expreserve
Detecting the Vulnerability:
* Compare versions with those listed in "Vulnerable Systems." If it matches any of those, you are vulnerable.
* Replace mail with a shell script that prints the current value of PATH (using, for example, echo(1)). Add the directory / to your search path. Run vi, issue the command "preserve", and see if the value of PATH in your current environment is printed. If so, you have the vulnerability.
Fixing the Vulnerability:
* Upgrade to a newer version.
* For SunOS 4 systems, apply Sun patch 101080-01.
* If you have the source code, clean out the environment before calling popen.
* Make the directory in which expreserve stores its saved data world writable, and turn off the setuid bit.
Keywords:vi, expreserve, popen, sh, PATH
Attack Methods or Tools: Not provided.
Advisories and Other Alerts: Sun Advisory 00120
Related Vulnerabilities: none.
First Report We Know Of: by Peter Shipley
Revisions of Database Record
1. Matt Bishop(Jan. 31, 1999): Entered into DOVES.
2. Mike Dilger(original): Entered into original database.