Re: redhat 6.1 mail

[hdm () SECUREAUSTIN COM (H D Moore)]

> Fromwhat I can tell, jan is putting an executable into
/var/mail/myusername that does:

setgid(6);
system("/bin/sh");

and is setting it setgid, then redhat comes along and chgrp's it to
group mail, which then can be executed to gain a shell that has
mail-group access.  Since I don't run RedHat here I couldnt try it, but
the SuSE system I tried it on has all of the mailbox files's group set
to the users default group so it obviously doesnt work.  Any RedHat
users want to give it a try?

-HD

http://www.secureaustin.com

jan bakker wrote:
> hello fello root's,
>
> one day i found that redhat 6.1 takes not only suid bits but also guid.
>
> you are owner of your mail file but it still belongs to the group mail
>
> so
>
> void(){
> set suid bit to user;
> set guid bit to 6;
> }
>
> compile it and move it to
>
> /var/mail/user
> chmod 4700 /var/mail/user
> ...
>
> result:
> reddog@home$id
> uid 300(me),gid 40(users)
> reddog@home$cd /var/mail
> reddog@home$me
> reddog@home$id
> uid(300),gid 6(mail)
>
> now you can read other people mail but,
> 6 is lower than 15 so at some systems you can add new users !!!
> even a root user !!!
>
> red
>
> p.s. it is noted verry badly this becouse else newbies and dipshits use it
> on schools. The good guys get the picture.