Full Disclosure mailing list archives
Symlink vulnerabilities in mailmgr
From: Marco van Berkum <m.v.berkum () obit nl>
Date: Thu, 12 Feb 2004 20:57:55 +0100
--------------------------------------------------------- Title : Symlink vulnerabilities in mailmgr Bug finder : Marco van Berkum (m.v.berkum () obit nl) Website : http://ws.obit.nl URL to mailmgr : http://web.onda.com.br/orso/mailmgr.html Tested version : Mailmgr-1.2.3 Date : 12 Feb 2004 --------------------------------------------------------- About mailmgr -------------Mailmgr is a Sendmail Analysis Report Generator that can be used to create HTML reports.
Severity --------High when mailmgr is executed as root, root owned files can then be overwritten.
Problem description -------------------By default mailmgr uses predictable temporary filenames placed in /tmp, which allows local users to launch a symlinkattack to overwrite files owned by users or superusers that run mailmgr to generate mailreports.
By default these are the temporary filenames: /tmp/mailmgr.unsort /tmp/mailmgr.tmp /tmp/mailmgr.sort Exploit -------Simply create a symlink in /tmp to any file you wish to overwrite, for example: /tmp/mailmgr.unsort -> /file/you/whish/to/corrupt. When the user (could be root) executes mailmgr the targetfile will be corrupted.
Solution --------Use the temporary_dir directive in /usr/local/etc/mailmgr.conf to point to a directory that does not have a sticky bit set.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Symlink vulnerabilities in mailmgr Marco van Berkum (Feb 12)