20 Nov
2021
20 Nov
'21
3:48 a.m.
On Fri, Nov 19, 2021 at 09:08:49PM -0500, Alan Glasser wrote:
Most of the hundreds (thousands?) of Unix systems
running in Bell
Labs seemed to have well guarded root passwords. There was always
social engineering, like Rob mentioned. And, of course, setuid root
exploits that I enjoyed.
Does anyone remember the security vulnerability existed where
/bin/mail was setuid root, and you could issue the command "!/bin/ed
/etc/passwd" and the editor would be executed as root because
/bin/mail failed to drop the setuid root privs before executing the
shell escape?
When I was a Freshman at MIT I implementing some image processing
programming on an old Unix system for a Materials Science professor in
1987 as part of MIT's Undergraduate Research Opportunities Program
(UROP). It was some ancient Unix program, and to my amazement, the
/bin/mail security vulnerability was there even though it was a famous
security oopise that should have been patched long before. I *think*
the system was some kind of AT&T Unix (not BSD) system, but I can't
remember the hardware or the specific Unix that was on the system.
Does anyone know how long and on which Unix variants this particular
/bin/mail setuid root vulnerability was around?
- Ted