[17512] in bugtraq
Re: vulnerability in mail.local
daemon@ATHENA.MIT.EDU (Rogier Wolff)
Mon Nov 6 12:39:20 2000
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-ID: <200011060740.IAA22216@cave.bitwizard.nl>
Date: Mon, 6 Nov 2000 08:40:04 +0100
Reply-To: Rogier Wolff <R.E.Wolff@BITWIZARD.NL>
From: Rogier Wolff <R.E.Wolff@BITWIZARD.NL>
X-To: Neil W Rickert <rickert@CS.NIU.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <24916.973127870@euclid.cs.niu.edu> from Neil W Rickert at "Nov
1, 2000 07:17:50 pm"
Neil W Rickert wrote:
> (4) On a well managed system, there should be an alias for 'root',
> so that mail to root is read by a non-root user. Triggering
> this "bug" assumes that root will blindly reply to a message
> without examining the address to which the reply is being sent.
Huh? What's that going to make as a difference?"the account of the guy
who reads root mail" is going to be an administrator. He'll be su-ing
to root on occasion. If you own his account, you also own root.
alias su '/tmp/.../su'
read the password, and bingo...
Some people think they can circumvent this by typing /bin/su instead
of su. Right.
For all I care you put him in a "fake-shell" and pretend to be his
real shell. Until he executes whatever he normally does to become
root.
Once you own the user-account of the administrator, you can work
yourself up to "root".
Roger.
--
** R.E.Wolff@BitWizard.nl ** http://www.BitWizard.nl/ ** +31-15-2137555 **
*-- BitWizard writes Linux device drivers for any device you may have! --*
* Common sense is the collection of *
****** prejudices acquired by age eighteen. -- Albert Einstein ********
