[cobalt-users] suid perl - 2 month old hazard

[Barbara - <thebizworkers@xxxxxxxxx>]

Jeff Lovell wrote:

The correct address to send security issues to is
(security@xxxxxxxxxx).

ARGHHH... Jeff I tried to send you some additional
informaiton regarding this topic and recv'd this from
the security@xxxxxxxxxx email address.

   ----- The following addresses had permanent fatal
errors -----
security@xxxxxxxxxxxxxxxxxxxxx
    (expanded from: <security@xxxxxxxxxx>)

   ----- Transcript of session follows -----
... while talking to postoffice.cobalt.com.:
>>> RCPT To:<security@xxxxxxxxxxxxxxxxxxxxx>
<<< 550 <security@xxxxxxxxxxxxxxxxxxxxx>... User
unknown
550 security@xxxxxxxxxxxxxxxxxxxxxxxx User unknown

------------------

That aside - 

1) Doesn't one need shell access to execute this
exploit?

2) Does anyone have an RaQ3 or RaQ4 that does *not*
have Neomail installed on their system? If so, can you
please check to see what permissions are set on
/usr/bin/suidperl ..? 

Neomail is the only software I've installed on my
machines, I've actually removed software instead
(e.g., all compilers which I'm sure has been a saving
grace). But I found this little blurb from the author
of Neomail at sourceforge:

>Q. A setuid or setgid perl script is insecure! 
>I will never use NeoMail until it doesn't run 
>with extra permissions!

I'm now just trying to determine if Neomail set the
SUID bit on suidperl or was it already there by
default out of the box..? GSH says it is set by
default on the RaQ2's -so if anyone has a RaQ3/4
without Neomail, please check the permissions and let
us know. 

If it is Neomail that's changed things around, then
everyone who's installed Neomail will be at risk for
this exploit. If it's set with the SUID bit out of the
factory/box, then *everyone* is at risk regardless
(remove those compilers).


__________________________________________________
Do You Yahoo!?
Find the one for you at Yahoo! Personals
http://personals.yahoo.com