Bugtraq mailing list archives
Vulnerability in HP OpenMail
From: dej () INODE ORG (David Jones)
Date: Tue, 21 Apr 1998 18:35:29 -0400
HP's OpenMail system consists of a server package that installs on an HP9000 workstation, as well as a client (Omgui). Other mail systems may also be able to interface to it. In Omgui, if you select "Options->Printer..." from the menu, you will be prompted for a printer command. The default is something like "lp -dlaser4si". This command is simply executed on the server, presumably using the system() call. This means that any mail user can run arbitrary shell commands on the mail server. For example, if I change my printer to: cat /etc/passwd | /usr/lib/sendmail jones and print a message, then I will get a copy of the password file. The good news is that mail users have their own Unix UIDs on the server. ("id | /usr/lib/sendmail jones" returns the relevant info.) As long as OpenMail stores users' mail folders as user-owned files with appropriate permissions, then there should be no way to read other users' mail. The real problem is situations where the sysadmin has denied users regular login access to the mail server, possibly by putting "*" in the password field. This is standard practice as a security measure. If you have done this on your OpenMail server, then you may want to check your security measures carefully - your users can get the equivalent of shell whether you allow it or not.
Current thread:
- NT configuration caution George (Apr 20)
- Re: NT configuration caution seifried () SEIFRIED ORG (Apr 20)
- lastx.c v2.0 Ryan (Apr 19)
- Re: NT configuration caution David LeBlanc (Apr 21)
- Re: NT configuration caution Zacharopoulos Dimitris (Apr 21)
- New IE4 bug w/Active Desktop installed Brian Krahmer (Apr 21)
- Re: New IE4 bug w/Active Desktop installed Max Vision (Apr 21)
- Vulnerability in HP OpenMail David Jones (Apr 21)
- Re: Vulnerability in HP OpenMail Richi Jennings (Apr 23)
- smbmount problem? Chris Evans (Apr 21)
- Re: smbmount problem? Czako Krisztian (Apr 21)
- Re: NT configuration caution David LeBlanc (Apr 21)
- Re: NT configuration caution Tim Newsham (Apr 21)
- hole in Inet Explorer Cacaio Torquato (Nov 04)
- Re: NT configuration caution David LeBlanc (Apr 22)
- Linux possible problem? Kyle McLerren (Apr 22)
- Vulnerability in OpenBSD, FreeBSD-stable lprm. Niall Smart (Apr 22)
- Re: NT configuration caution seifried () SEIFRIED ORG (Apr 20)