expreserve PATH environment variable checking error

Vulnerability Description

Brief Description: expreserve(8) uses popen(3) to execute mail(8). It doesn't properly restrict the PATH variable.

Detailed Description: vi(1) is a text editor available on most versions of the UNIX operating system. When it receives a hangup signal (signal 1), or the user uses the preserve command from within the editor, vi executes the expreserve command. expreserve preserves the file being edited so that the session can be restarted with minimal loss of editing. In order to put the data into a protected directory, expreserve is setuid to root. expreserve uses popen to execute mail to send a letter informing the user of its completion status. expreserve does not reset the environment variable PATH to a safe state before it calls popen.

Component(s): vi ex3.7expreserve popen sh

Version(s): those distributed with the named operating systems

Operating System(s): SunOS 4.1.3 and earlier (trusted source); Solaris 2.2 and earlier (trusted source).

Other Information: A user account is required.

Effects:Access to the account of the owner of expreserve

Detecting the Vulnerability:

* Compare versions with those listed in "Vulnerable Systems." If it matches any of those, you are vulnerable.

* Replace mail with a shell script that prints the current value of PATH (using, for example, echo(1)). Add the directory / to your search path. Run vi, issue the command "preserve", and see if the value of PATH in your current environment is printed. If so, you have the vulnerability.

Fixing the Vulnerability:

* Upgrade to a newer version.

* For SunOS 4 systems, apply Sun patch 101080-01.

* If you have the source code, clean out the environment before calling popen.

* Make the directory in which expreserve stores its saved data world writable, and turn off the setuid bit.

Cataloguing

Keywords:vi, expreserve, popen, sh, PATH

Exploiting

Attack Methods or Tools: Not provided.

Related Information

Advisories and Other Alerts: Sun Advisory 00120

Related Vulnerabilities: none.

History

First Report We Know Of: by Peter Shipley

Revisions of Database Record

1. Matt Bishop(Jan. 31, 1999): Entered into DOVES.

2. Mike Dilger(original): Entered into original database.