Vulnerability Development mailing list archives
Re: redhat 6.1 mail
From: hdm () SECUREAUSTIN COM (H D Moore)
Date: Thu, 23 Mar 2000 00:02:46 -0600
Fromwhat I can tell, jan is putting an executable into
/var/mail/myusername that does: setgid(6); system("/bin/sh"); and is setting it setgid, then redhat comes along and chgrp's it to group mail, which then can be executed to gain a shell that has mail-group access. Since I don't run RedHat here I couldnt try it, but the SuSE system I tried it on has all of the mailbox files's group set to the users default group so it obviously doesnt work. Any RedHat users want to give it a try? -HD http://www.secureaustin.com jan bakker wrote:
hello fello root's, one day i found that redhat 6.1 takes not only suid bits but also guid. you are owner of your mail file but it still belongs to the group mail so void(){ set suid bit to user; set guid bit to 6; } compile it and move it to /var/mail/user chmod 4700 /var/mail/user ... result: reddog@home$id uid 300(me),gid 40(users) reddog@home$cd /var/mail reddog@home$me reddog@home$id uid(300),gid 6(mail) now you can read other people mail but, 6 is lower than 15 so at some systems you can add new users !!! even a root user !!! red p.s. it is noted verry badly this becouse else newbies and dipshits use it on schools. The good guys get the picture.
Current thread:
- redhat 6.1 mail jan bakker (Mar 20)
- Re: redhat 6.1 mail H D Moore (Mar 22)
- Re: redhat 6.1 mail Michal Zalewski (Mar 24)
- Re: redhat 6.1 mail Christopher Rhodes (Mar 24)
- Re: redhat 6.1 mail Luis Pinto (Mar 23)
- Re: redhat 6.1 mail H D Moore (Mar 22)