[20662] in bugtraq
MUAs that delete spoolfiles (was Solaris /usr/bin/mailx exploit (SPARC))
daemon@ATHENA.MIT.EDU (Rich Lafferty)
Wed May 16 08:56:43 2001
Date: Tue, 15 May 2001 17:00:43 -0400
From: Rich Lafferty <rich@alcor.concordia.ca>
To: bugtraq@securityfocus.com
Message-ID: <20010515170043.C28724@alcor.concordia.ca>
Mail-Followup-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <uag0e692im.fsf@sapphire.noc.gxn.net>; from andrew.hilborne@uk.xo.com on Tue, May 15, 2001 at 02:15:45PM +0100
On Tue, May 15, 2001 at 02:15:45PM +0100, Andrew Hilborne (andrew.hilborne@uk.xo.com) wrote:
> >
> > (At least not if you /var/mail directory has the standard 1777 permissions)
> >
> > By forcing a file permission of 600 on mailboxes, group mail should not
> > gain you anything.
>
> Just how do you force 0600 on mailboxes which don't exist (many MUAs remove
> empty mailboxes?)
If that's true, then even *without* this particular bug in Solaris,
there's an icky denial of service attack waiting to happen. Sticky
mailspools are awfully common these days, and all that stops Bob from
doing
touch /var/spool/mail/alice
and causing the MTA to refuse to deliver is that Alice's mailbox
should never *not* be there in the first place.
Which MUAs behave in the way you describe?
> Since you cannot easily do this, at the very least a malicious user should be
> able to steal other users' mail. I think.
If they can, then *that's* a flaw in the MTA, which should never
deliver into something that isn't owned by the recipient.
-Rich
--
------------------------------ Rich Lafferty ---------------------------
Sysadmin/Programmer, Instructional and Information Technology Services
Concordia University, Montreal, QC (514) 848-7625
------------------------- rich@alcor.concordia.ca ----------------------
