lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 12 Feb 2004 20:56:09 +0100
From: Marco van Berkum <m.v.berkum@...t.nl>
To: bugtraq@...urityfocus.com
Subject: Symlink vulnerabilities in mailmgr


---------------------------------------------------------
Title          : Symlink vulnerabilities in mailmgr
Bug finder     : Marco van Berkum (m.v.berkum@...t.nl)
Website        : http://ws.obit.nl
URL to mailmgr : http://web.onda.com.br/orso/mailmgr.html
Tested version : Mailmgr-1.2.3
Date           : 12 Feb 2004
---------------------------------------------------------

About mailmgr
-------------
Mailmgr is a Sendmail Analysis Report Generator that can be used to 
create HTML reports.

Severity
--------
High when mailmgr is executed as root, root owned files can then be 
overwritten.

Problem description
-------------------
By default mailmgr uses predictable temporary filenames placed in /tmp, 
which allows local users to launch a  symlinkattack to overwrite files 
owned by users or superusers that run mailmgr to generate mailreports. 

By default these are the temporary filenames:

/tmp/mailmgr.unsort
/tmp/mailmgr.tmp
/tmp/mailmgr.sort

Exploit
-------
Simply create a symlink in /tmp to any file you wish to overwrite, for 
example: 

/tmp/mailmgr.unsort -> /file/you/whish/to/corrupt

When the user (could be root) executes mailmgr the targetfile will be 
corrupted.

Solution
--------
Use the temporary_dir directive in /usr/local/etc/mailmgr.conf to point 
to a directory that does not have a sticky bit set.




Powered by blists - more mailing lists