Aucbvax.2986
fa.unix-wizards
utzoo!decvax!ucbvax!unix-wizards
Tue Sep  8 03:08:45 1981

>From pur-ee!bruner@Berkeley Tue Sep  8 01:02:07 1981
Re: /usr/spool/mail

       From decvax!ucbvax!unix-wizards Sat Sep  5 06:25:57 1981
       Re: /usr/spool/mail : fa.unix-wizards
       >From MathStat.jmrubin@Berkeley Sat Sep  5 06:15:14 1981
               From csvax:unix-wizards Sat Sep  5 05:33:33 1981
               Subject:  Re: /usr/spool/mail
               Newsgroups: fa.unix-wizards
               >From James.Gosling@CMU-10A Sat Sep  5 05:23:07 1981
               If /usr/spool/mail is writable it's really easy to become super-user.

               1. copy the shell to the file /usr/spool/mail/root
               2. make it suid
               3. send mail to root

               When the mail is sent to root the delivery program only appends the mail to
               the mailbox and chowns the file to root.  *poof* you have a suid root shell.
               The easiest way to stop this is to not have /usr/spool/mail be writable.

                                                       James.


               I don't think this would work because writing on a setuid file
       usually shuts off the setuid bits (and setgid bits); of course, this is
       installation dependent.  Of course, chown is a priviledged call, but
       I suspect chown also turns off the setuid bits.  (If it doesn't, then
       it should!)
                                               Joel Rubin


Another way which gets around the setuid-cleared-on-write is to link
your own mailbox to something like /bin/sh (or, if /usr is mounted on
a different filesystem, something in /usr/bin or /usr/ucb that will
be run by root).  Mail a letter to yourself.  You will now own the file,
so copy in your own shell (or whatever) with a patch that will
chown/chmod one of your files to be setuid-root.  Unlink your mailbox
and link /bin/sh to /usr/spool/mail/root (moving the real one out of
the way momentarily, if necessary).  Mail something to root
to chown the altered shell back to root.  Restore /usr/spool/mail/root.
As soon as a super-user runs the altered program, you'll have access
to root.

Granted, this system requires some patience and is more vulnerable
to detection (the inode modify and change times on /bin/sh will
be different), but unless the system staff is super-alert to things
like that you'll probably be home free.

--John Bruner
(pur-ee!bruner)

-----------------------------------------------------------------
gopher://quux.org/ conversion by John Goerzen <[email protected]>
of http://communication.ucsd.edu/A-News/


This Usenet Oldnews Archive
article may be copied and distributed freely, provided:

1. There is no money collected for the text(s) of the articles.

2. The following notice remains appended to each copy:

The Usenet Oldnews Archive: Compilation Copyright (C) 1981, 1996
Bruce Jones, Henry Spencer, David Wiseman.

You are viewing proxied material from gopher.quux.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.