No subject

utzoo!decvax!ucbvax!unix-wizards utzoo!decvax!ucbvax!unix-wizards
Tue Sep 8 03:08:45 AEST 1981 

>From pur-ee!bruner at Berkeley Tue Sep  8 01:02:07 1981
Re: /usr/spool/mail

	From decvax!ucbvax!unix-wizards Sat Sep  5 06:25:57 1981
	Re: /usr/spool/mail : fa.unix-wizards
	>From MathStat.jmrubin at Berkeley Sat Sep  5 06:15:14 1981
		From csvax:unix-wizards Sat Sep  5 05:33:33 1981
		Subject:  Re: /usr/spool/mail
		Newsgroups: fa.unix-wizards
		>From James.Gosling at CMU-10A Sat Sep  5 05:23:07 1981
		If /usr/spool/mail is writable it's really easy to become super-user.
		
		1. copy the shell to the file /usr/spool/mail/root
		2. make it suid
		3. send mail to root
		
		When the mail is sent to root the delivery program only appends the mail to
		the mailbox and chowns the file to root.  *poof* you have a suid root shell.
		The easiest way to stop this is to not have /usr/spool/mail be writable.
		
							James.
		
		
		I don't think this would work because writing on a setuid file
	usually shuts off the setuid bits (and setgid bits); of course, this is
	installation dependent.  Of course, chown is a priviledged call, but
	I suspect chown also turns off the setuid bits.  (If it doesn't, then
	it should!)
						Joel Rubin


Another way which gets around the setuid-cleared-on-write is to link
your own mailbox to something like /bin/sh (or, if /usr is mounted on
a different filesystem, something in /usr/bin or /usr/ucb that will
be run by root).  Mail a letter to yourself.  You will now own the file,
so copy in your own shell (or whatever) with a patch that will
chown/chmod one of your files to be setuid-root.  Unlink your mailbox
and link /bin/sh to /usr/spool/mail/root (moving the real one out of
the way momentarily, if necessary).  Mail something to root
to chown the altered shell back to root.  Restore /usr/spool/mail/root.
As soon as a super-user runs the altered program, you'll have access
to root.

Granted, this system requires some patience and is more vulnerable
to detection (the inode modify and change times on /bin/sh will
be different), but unless the system staff is super-alert to things
like that you'll probably be home free.

--John Bruner
(pur-ee!bruner)

More information about the Comp.unix.wizards mailing list