| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <402BDAC3.4090700@obit.nl> From: m.v.berkum at obit.nl (Marco van Berkum) Subject: Symlink vulnerabilities in mailmgr --------------------------------------------------------- Title : Symlink vulnerabilities in mailmgr Bug finder : Marco van Berkum (m.v.berkum@...t.nl) Website : http://ws.obit.nl URL to mailmgr : http://web.onda.com.br/orso/mailmgr.html Tested version : Mailmgr-1.2.3 Date : 12 Feb 2004 --------------------------------------------------------- About mailmgr ------------- Mailmgr is a Sendmail Analysis Report Generator that can be used to create HTML reports. Severity -------- High when mailmgr is executed as root, root owned files can then be overwritten. Problem description ------------------- By default mailmgr uses predictable temporary filenames placed in /tmp, which allows local users to launch a symlinkattack to overwrite files owned by users or superusers that run mailmgr to generate mailreports. By default these are the temporary filenames: /tmp/mailmgr.unsort /tmp/mailmgr.tmp /tmp/mailmgr.sort Exploit ------- Simply create a symlink in /tmp to any file you wish to overwrite, for example: /tmp/mailmgr.unsort -> /file/you/whish/to/corrupt. When the user (could be root) executes mailmgr the targetfile will be corrupted. Solution -------- Use the temporary_dir directive in /usr/local/etc/mailmgr.conf to point to a directory that does not have a sticky bit set.
Powered by blists - more mailing lists