Shell Programming:
an Exploit Explained, continued...
HOW TO EXPLORE A COMPUTER FROM INSIDE A SHELL ACCOUNT
What else can we
do that is fun?
You can do a thorough
exploration of everything that you are allowed to access from
your account with just four commands: "pwd", "cd",
"ls" and "cat". Sound too good to be
true? I'll prove to you it's really this easy, now!
Special bonus:
if you just got root with that shell script above, you now can
totally explore your victim computer!
HOW TO READ EMAIL DIRECTLY FROM THE
MAIL SPOOL
How about a nerdy
Unix way to read your incoming email? (If you are root
you can read everyone's email this way. In the US, your
ISP has the legal right to read your email -- another reason
to be friends, and not enemies, of the tech support staff!) This
is a real blast from the past, an example of what life was like
before email, when us old folks used to have to send each other
messages by simply transferring files.
First, let's find
out where we are right now. For that you use the "pwd"
command. Your results may vary with this command, but if
you give this command right after logging in you will see your
user name as part of the current directory.
Now it's time to
start moving around. Let's try out these commands to get
into the email directory. On most Unix systems you can
do this with the command:
->cd /var/spool/mail
If that doesn't
work, try:
->cd /var/mail
Now -- can you
resist? Since you are in /var/spool/mail, with the command
"ls" you can find out the user names of everyone who
gets email here. If you really wish to snoop, give the
command ls -alF (or on some systems "ls -alK") and
you can even find out if anyone has world-readable email.
==========================================================
Newbie note: How do you figure out if someone's email is world
readable? "ls -alF /var/spool/mail/myusername" (substituting
your user name for "myusername") will give something
that looks like this:
-rw------- 1 cpm 31217 May 3 16:14
/var/spool/mail/cpm
That's my mail.
But if you see something like this:
-rw----r-- 1 cpm 31217 May 3 16:14
/var/spool/mail/cpm
That means anyone
can read it. And if you see this:
-rw----rw- 1 cpm 31217 May 3 16:14
/var/spool/mail/cpm
That means anyone
could alter my incoming email!
===========================================================
Here's an obnoxious
trick. If someone were to put the wrong stuff in someone's
mail spool, it would disable their email reading programs so
they couldn't get their email until it got fixed. For example,
my email programs can be disabled by bringing the file /var/spool/mail/cpm
up in an editor program, putting the words "This is a test"
at the top of the file, and saving it.
If your mail spool
should get messed up someday so that your email program can't
read it, you can straighten it out easily. Just give the
command "pico /var/spool/mail/myusername" (or whatever
the path turns out to be for your mail spool). Then use
the editor to first read and save any email you want, then delete
everything in that file! Leave it empty! That will
get rid of whatever the messed up stuff was.
If you can handle
a problem like this by yourself, tech support will be thankful
that you don't call them crying about every little thing.
So let's suppose
you use the "ls -alF" (or "ls -alK") command
on the entire mail spool at your ISP. If you do find that
someone's email can be read by anyone in the world, you need
to make a decision. Do you want to make friends and increase
the likelihood that you will be able to get a great job someday
at your ISP? Then don't snoop! You can win points
with tech support if you point out the problem politely.
Make friends way: Email tech support with the message, "I
was checking file permissions on my email and noticed that user
name JoeBlow has world-readable mail."
Make enemies and get kicked off your ISP way: Email the victim
user with the message "You are owned!!! Muhahaha!!!"
More
shell programming --->>
