Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: vulnerability in mail.local
From: Rogier Wolff <R.E.Wolff () BITWIZARD NL>
Date: Mon, 6 Nov 2000 08:40:04 +0100

Neil W Rickert wrote:
(4)  On a well managed system, there should be an alias for 'root',
     so that mail to root is read by a non-root user.  Triggering
     this "bug" assumes that root will blindly reply to a message
     without examining the address to which the reply is being sent.

Huh? What's that going to make as a difference?"the account of the guy
who reads root mail" is going to be an administrator. He'll be su-ing
to root on occasion. If you own his account, you also own root.

alias su '/tmp/.../su'
read the password, and bingo...

Some people think they can circumvent this by typing /bin/su instead
of su. Right.

For all I care you put him in a "fake-shell" and pretend to be his
real shell. Until he executes whatever he normally does to become
root.

Once you own the user-account of the administrator, you can work
yourself up to "root".

                        Roger.

--
** R.E.Wolff () BitWizard nl ** http://www.BitWizard.nl/ ** +31-15-2137555 **
*-- BitWizard writes Linux device drivers for any device you may have! --*
*       Common sense is the collection of                                *
******  prejudices acquired by age eighteen.   -- Albert Einstein ********


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]