mailing list archives
Re: vulnerability in mail.local
From: Rogier Wolff <R.E.Wolff () BITWIZARD NL>
Date: Mon, 6 Nov 2000 08:40:04 +0100
Neil W Rickert wrote:
(4) On a well managed system, there should be an alias for 'root',
so that mail to root is read by a non-root user. Triggering
this "bug" assumes that root will blindly reply to a message
without examining the address to which the reply is being sent.
Huh? What's that going to make as a difference?"the account of the guy
who reads root mail" is going to be an administrator. He'll be su-ing
to root on occasion. If you own his account, you also own root.
alias su '/tmp/.../su'
read the password, and bingo...
Some people think they can circumvent this by typing /bin/su instead
of su. Right.
For all I care you put him in a "fake-shell" and pretend to be his
real shell. Until he executes whatever he normally does to become
Once you own the user-account of the administrator, you can work
yourself up to "root".
** R.E.Wolff () BitWizard nl ** http://www.BitWizard.nl/ ** +31-15-2137555 **
*-- BitWizard writes Linux device drivers for any device you may have! --*
* Common sense is the collection of *
****** prejudices acquired by age eighteen. -- Albert Einstein ********