[Simon Walter] Bug#506353: mailscanner: many scripts allow
local users to overwrite arbitrary files, and more,
via symlink attacks
simon.walter at hp-factory.de
simon.walter at hp-factory.de
Thu Dec 4 14:22:44 GMT 2008
> 2008/12/4 <simon.walter at hp-factory.de>:
>>> Simon Walter wrote on Wed, 03 Dec 2008 23:46:46 +0100:
>>>> MX invalid
>>>> I don't know what's causing this...
>>> The answer is here. Your MX is a CNAME.
>> which points to an A record...
>> ... like CNAMEs are dangerous.
> So ...? They aren't allowed for MXs.
Didn't know that, but the RFC seems quite clear on this.
> One could likely say pretty much the same about the "scary
> tmp/symlink" things:-). One thing to note... If you run something that
> don't run as root, the vulnerability is more or less completely
> nullified. So we PF users are safe from our users, AFAICS:-).
> Or was there more to the attack vector than that?
Running MailScanner or anything else as root is the worst-case-scenario
for the "scary tmp/symlink" thing. If you don't run it as root you run
probably run it as a user who has access to the mailserver spool-directory
and I'm certain you don't want any other user be able to gain this
privileg.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5313
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5312
--
Regards
Simon Walter
More information about the MailScanner
mailing list