[357] in linux-security and linux-alert archive
security hole in deliver
daemon@ATHENA.MIT.EDU (Alvaro Martinez Echevarria)
Tue Sep 12 05:12:33 1995
Date: Tue, 12 Sep 1995 09:49:30 +0200
From: Alvaro Martinez Echevarria <alvaro@etsit.upm.es>
To: linux-security@tarsier.cv.nrao.edu
>>
>> On 4 Sep 1995, Panzer Boy wrote:
>>
>> > [mod: The obvious alternative would be to have the mail drop directory
>> > mode 1777... Dunno how sendmail and smail react to forwarding
>> > statements in mailboxes not owned by the proper user --okir]
>>
>> If i understand this correctly, there are some security holes with this
>> approach. I don't know current mailer's behavior, but one of possible
>> problems is in fact that everyone can create any nonexistent file in mail
>> drop directory. For example, link to someones .rhosts or something
>> like..
>>
Just one example: the last version of deliver I tried didn't test if
mailboxes were symlinks before delivering mail. This allos you to overwrite
any file on the system, given that you have write permission on /var/spool/mail
and that /var/spool/mail/root doesn't exist. I symlinked /var/spool/mail/root
to /etc/rc.d/rc.local and then made something like:
hck@site:~$ deliver root <<END
cp /bin/sh /tmp/hck
chmod 4755/tmp/hck
END
with great results. I don't know if this still works, but if it does we should
fix it soon. By the way, to exploit this bug it's not strictly necessary that
/var/spool/mail has mode 1777, as write permission on that directory could be
obtained by other methods (for example, exploiting vulnerabilities of
sendmail-8.6.9 where it still works).
Does this still work? Was anybody aware of this?
Alvaro Martinez Echevarria
MADRID---------------SPAIN
