[33685] in bugtraq
Symlink vulnerabilities in mailmgr
daemon@ATHENA.MIT.EDU (Marco van Berkum)
Fri Feb 13 10:55:29 2004
Message-ID: <402BDA59.8000501@obit.nl>
Date: Thu, 12 Feb 2004 20:56:09 +0100
From: Marco van Berkum <m.v.berkum@obit.nl>
MIME-Version: 1.0
To: bugtraq@securityfocus.com
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
---------------------------------------------------------
Title : Symlink vulnerabilities in mailmgr
Bug finder : Marco van Berkum (m.v.berkum@obit.nl)
Website : http://ws.obit.nl
URL to mailmgr : http://web.onda.com.br/orso/mailmgr.html
Tested version : Mailmgr-1.2.3
Date : 12 Feb 2004
---------------------------------------------------------
About mailmgr
-------------
Mailmgr is a Sendmail Analysis Report Generator that can be used to
create HTML reports.
Severity
--------
High when mailmgr is executed as root, root owned files can then be
overwritten.
Problem description
-------------------
By default mailmgr uses predictable temporary filenames placed in /tmp,
which allows local users to launch a symlinkattack to overwrite files
owned by users or superusers that run mailmgr to generate mailreports.
By default these are the temporary filenames:
/tmp/mailmgr.unsort
/tmp/mailmgr.tmp
/tmp/mailmgr.sort
Exploit
-------
Simply create a symlink in /tmp to any file you wish to overwrite, for
example:
/tmp/mailmgr.unsort -> /file/you/whish/to/corrupt
When the user (could be root) executes mailmgr the targetfile will be
corrupted.
Solution
--------
Use the temporary_dir directive in /usr/local/etc/mailmgr.conf to point
to a directory that does not have a sticky bit set.
