Bugtraq mailing list archives

Re: SuSE Security Announcement: tnef

From: link () FOO FH-FURTWANGEN DE (Rainer Link)
Date: Tue, 11 Jul 2000 19:41:23 +0200


Thomas Biege wrote:

______________________________________________________________________________

                        SuSE Security Announcement

        Package:  tnef < 0-124
        Date:     Mon Jul 10 19:19:16 CEST 2000

        Affected SuSE versions: 6.3-6.4
        Vulnerability Type:     remote compromise
        SuSE default package:   no
        Other affected systems: all unix systems using this package
______________________________________________________________________________


[cut]

2. Impact

  By specifing a path name like /etc/passwd and sending a compressed
  mail to root an adversary could gain remote root access to a system
  by overwriting the local password database.
  The same could happen if a mail virus scanner, like AMaVIS, process'
  a malicious mail.


FYI:

AMaViS-Perl: not affected, as a Perl module is used

TNEF support was added to AMaViS 0.2.0-pre6-clm-rl-8-20000604 (previous
versions are therefore *not* affected), but AMaViS does not run as root
when used with qmail, exim and postfix. AMaViS is run as root, when used
with sendmail and AMaViS is called via Mlocal. AMaViS may not run as
root, when used with sendmail and the new relay scanning setup for
AMaViS (--enable-relay).
Anyway, a fix for this possible security hole was provided in AMaViS
0.2.0-pre6-clm-rl-8-20000704. It's available at
http://sourceforge.net/projects/amavis, http://cvsweb.amavis.org/ or
http://www.computer-networking.de/~link/security/amavis-patch.php3#latest_sources
(if you prefer a gzipped tarball).

We recommend to use Mark Simpson's TNEF
(http://world.std.com/~damned/software.html) which does not suffer from
this security problem, as it supportes the -d flag to extract files to a
specific directory.

I would like to thank Robert Valentan of SOLID-SOFT
EDV-VertriebsgmbH/Austria for reporting this problem to us and helping
us to fix it.

best regards,
Rainer Link
(AMaViS Developer)

--
Rainer Link  | Member of Virus Help Munich (www.vhm.haitec.de)
link () suse de | Member of AMaViS Development Team (dev.amavis.org)
rainer.w3.to | Linux/Unix Anti Virus project (lavp.sourceforge.net)

Current thread:

SuSE Security Announcement: tnef Thomas Biege (Jul 11)
- Re: SuSE Security Announcement: tnef Rainer Link (Jul 11)
- Security hole in Win2K's FTP server Bob Kline (Jul 11)
  - CONECTIVA LINUX SECURITY ANNOUNCEMENT - nfs-utils Conectiva Security (Jul 17)
  - Re: Security hole in Win2K's FTP server Dan Kaminsky (Jul 17)
    - Re: Security hole in Win2K's FTP server Adam Muntner (Jul 18)
    - Re: Security hole in Win2K's FTP server David LeBlanc (Jul 18)
    - Re: Security hole in Win2K's FTP server Darren Reed (Jul 18)
- MDKSA-2000:018 dump update Vincent Danen (Jul 11)
- Sun's Java Web Server remote command execution vulnerability stuart.mcclure () FOUNDSTONE COM (Jul 11)
- Attacking Windows 9x with Loadable Kernel Modules Solar Eclipse (Jul 12)