Vulnerability in HP OpenMail

[dej () INODE ORG (David Jones)]

HP's OpenMail system consists of a server package that installs on an HP9000
workstation, as well as a client (Omgui).  Other mail systems may also be
able to interface to it.

In Omgui, if you select "Options->Printer..." from the menu, you will be
prompted for a printer command.  The default is something like
"lp -dlaser4si".  This command is simply executed on the server, presumably
using the system() call.

This means that any mail user can run arbitrary shell commands on the mail
server.  For example, if I change my printer to:

cat /etc/passwd | /usr/lib/sendmail jones

and print a message, then I will get a copy of the password file.

The good news is that mail users have their own Unix UIDs on the server.
("id | /usr/lib/sendmail jones" returns the relevant info.)
As long as OpenMail stores users' mail folders as user-owned files with
appropriate permissions, then there should be no way to read other users'
mail.

The real problem is situations where the sysadmin has denied users regular
login access to the mail server, possibly by putting "*" in the password
field.  This is standard practice as a security measure.  If you have done
this on your OpenMail server, then you may want to check your security
measures carefully - your users can get the equivalent of shell whether you
allow it or not.