Bugtraq mailing list archives
MUAs that delete spoolfiles (was Solaris /usr/bin/mailx exploit (SPARC))
From: Rich Lafferty <rich () alcor concordia ca>
Date: Tue, 15 May 2001 17:00:43 -0400
On Tue, May 15, 2001 at 02:15:45PM +0100, Andrew Hilborne (andrew.hilborne () uk xo com) wrote:
(At least not if you /var/mail directory has the standard 1777 permissions) By forcing a file permission of 600 on mailboxes, group mail should not gain you anything.Just how do you force 0600 on mailboxes which don't exist (many MUAs remove empty mailboxes?)
If that's true, then even *without* this particular bug in Solaris, there's an icky denial of service attack waiting to happen. Sticky mailspools are awfully common these days, and all that stops Bob from doing touch /var/spool/mail/alice and causing the MTA to refuse to deliver is that Alice's mailbox should never *not* be there in the first place. Which MUAs behave in the way you describe?
Since you cannot easily do this, at the very least a malicious user should be able to steal other users' mail. I think.
If they can, then *that's* a flaw in the MTA, which should never deliver into something that isn't owned by the recipient. -Rich -- ------------------------------ Rich Lafferty --------------------------- Sysadmin/Programmer, Instructional and Information Technology Services Concordia University, Montreal, QC (514) 848-7625 ------------------------- rich () alcor concordia ca ----------------------
Current thread:
- Re: Solaris /usr/bin/mailx exploit (SPARC) Casper Dik (May 15)
- Re: Solaris /usr/bin/mailx exploit (SPARC) Johann Klasek (May 15)
- Re: Solaris /usr/bin/mailx exploit (SPARC) Greg A. Woods (May 16)
- Re: Solaris /usr/bin/mailx exploit (SPARC) Andrew Hilborne (May 15)
- MUAs that delete spoolfiles (was Solaris /usr/bin/mailx exploit (SPARC)) Rich Lafferty (May 16)
- Re: Solaris /usr/bin/mailx exploit (SPARC) Greg A. Woods (May 15)
- Re: Solaris /usr/bin/mailx exploit (SPARC) Dan Astoorian (May 15)
- <Possible follow-ups>
- Re: Solaris /usr/bin/mailx exploit (SPARC) Tobias J. Kreidl (May 16)
- Re: Solaris /usr/bin/mailx exploit (SPARC) Greg A. Woods (May 17)
- Re: Solaris /usr/bin/mailx exploit (SPARC) Casper Dik (May 17)
- Re: Solaris /usr/bin/mailx exploit (SPARC) Greg A. Woods (May 18)
- Mail delivery privileges (was: Solaris /usr/bin/mailx exploit) Wietse Venema (May 18)
- Re: Mail delivery privileges (was: Solaris /usr/bin/mailx exploit) Greg A. Woods (May 18)
- Re: Mail delivery privileges Peter W (May 19)
- Re: Mail delivery privileges Henrik Nordstrom (May 19)
- Re: Solaris /usr/bin/mailx exploit (SPARC) Greg A. Woods (May 17)
- Re: Solaris /usr/bin/mailx exploit (SPARC) Johann Klasek (May 15)