Vulnerability Description

Brief Description: rdist(8) uses popen(3) to execute sendmail(8). It doesn't properly restrict the IFS variable.

Detailed Description: rdist is a program designed to keep filesystems synchronized across multiple machines in a trusted network. rdist uses popen to execute sendmail to send a letter informing the user of its completion status. rdist does not reset the environment variable IFS to a safe state before it calls popen.

Component(s): rdist popen sh

Version(s): those distributed with the named operating systems

Operating System(s): SunOS 4.1.2 and earlier (trusted source); A/UX 2.0.1 (trusted source); SCO 3.2v4.2 (trusted source); BSD NET/2-derived systems (trusted source).

Other Information: A user account is required. Network access to another system is not required as a source can be sent to a local system.

Effects:Access to the account of the owner of rdist

Detecting the Vulnerability:

* Compare versions with those listed in "Vulnerable Systems." If it matches any of those, you are vulnerable.

* Replace sendmail with a shell script or program that prints the current value of IFS. Add the character / to the value of IFS. Run rdist and see if the value of IFS in your current environment is printed. If so, you have the vulnerability.

Fixing the Vulnerability:

* Upgrade to a newer version.

* For SunOS 4.1.2 systems, apply Sun patch 100383-06.

* If you have the source code, clean out the environment before calling popen.

Cataloguing

Keywords:rdist, popen, sh, IFS

Exploiting

Attack Methods or Tools: Not provided.

Related Information

Advisories and Other Alerts: CA-91:20.rdist.vulnerability

Related Vulnerabilities: none.

History

First Report We Know Of: by none

Revisions of Database Record

1. Omar Vanegas(Jul 22, 1998): Entered into DOVES.

2. Mike Dilger(original): Entered into original database.