[Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks

simon.walter at hp-factory.de simon.walter at hp-factory.de
Thu Dec 4 14:22:44 GMT 2008


> 2008/12/4  <simon.walter at hp-factory.de>:
>>> Simon Walter wrote on Wed, 03 Dec 2008 23:46:46 +0100:
>>>> MX invalid
>>>> I don't know what's causing this...
>>> The answer is here. Your MX is a CNAME.
>> which points to an A record...
>> ... like CNAMEs are dangerous.
> So ...? They aren't allowed for MXs.

Didn't know that, but the RFC seems quite clear on this.


> One could likely say pretty much the same about the "scary
> tmp/symlink" things:-). One thing to note... If you run something that
> don't run as root, the vulnerability is more or less completely
> nullified. So we PF users are safe from our users, AFAICS:-).
> Or was there more to the attack vector than that?

Running MailScanner or anything else as root is the worst-case-scenario
for the "scary tmp/symlink" thing. If you don't run it as root you run
probably run it as a user who has access to the mailserver spool-directory
and I'm certain you don't want any other user be able to gain this
privileg.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5313
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5312

--
Regards
Simon Walter




More information about the MailScanner mailing list