CVE-1999-1554

Step 1: User Login: A local user logs into the vulnerable SGI IRIX system.

Step 2: Mail Invocation: The user launches the /usr/sbin/Mail program.

Step 3: Group ID Flaw: The Mail program does not correctly set its effective group ID to the user's group ID. It likely retains the group ID of the process that launched it (e.g., the system's default group).

Step 4: Mailbox Access: The Mail program attempts to access the user's mailbox files (e.g., in /var/mail/).

Step 5: Permission Bypass: Because the group ID is incorrect, the file system permissions are bypassed. The user can read the mailboxes of other users who share the same group, as the program is operating with the incorrect group ID.

Step 6: Information Disclosure: The user reads the contents of other users' mailboxes, gaining access to sensitive information.

The vulnerability stems from a programming error in the /usr/sbin/Mail application on SGI IRIX 3.3 and 3.3.1. The application fails to correctly set the effective group ID to the group ID of the user launching the Mail program. This means that when a user interacts with their mailbox, the application operates with the group ID of the user who started the Mail process, rather than the user currently interacting with it. This allows a malicious user to access the mailboxes of other users within the same group, as the file permissions are not correctly enforced. The root cause is a missing or incorrect call to a system function like setgid() after the program is launched, which is responsible for setting the group ID. This leads to a privilege escalation scenario where a low-privilege user can read the mail of other users.