CVE-1999-0123

Step 1: Target Selection: The attacker identifies a target file to read (e.g., /etc/shadow, /etc/passwd).

Step 2: Symbolic Link Creation: The attacker creates a symbolic link from a location where mailx will create a temporary file (e.g., /tmp/mailx.XXXXXX) to the target file.

Step 3: Race Condition Trigger: The attacker rapidly invokes mailx to send a message, triggering the creation of the temporary file. The attacker attempts to win the race against mailx's file creation.

Step 4: File Content Overwrite: If the attacker wins the race, mailx writes the message content to the symbolic link, effectively overwriting the contents of the target file.

Step 5: Information Disclosure: The attacker reads the contents of the overwritten temporary file, which now contains the sensitive information from the target file.

The vulnerability stems from a race condition within the mailx command's handling of temporary files. Specifically, when mailx is invoked to send mail, it creates temporary files to store the message content. An attacker can exploit this by rapidly creating a symbolic link to a target file (e.g., /etc/shadow) and then triggering mailx to write to the linked temporary file. The race occurs because the time window between the temporary file creation and the write operation is small. If the attacker wins the race, the contents of the target file are written to the attacker-controlled temporary file, which can then be read, leading to information disclosure and potential privilege escalation. The core flaw is the lack of proper synchronization and validation of the temporary file's target, allowing for a TOCTOU (Time-of-Check to Time-of-Use) vulnerability.