[Simon Walter] Bug#506353: mailscanner: many scripts allow
local users to overwrite arbitrary files, and more,
via symlink attacks
Glenn Steen
glenn.steen at gmail.com
Thu Dec 4 15:15:36 GMT 2008
2008/12/4 <simon.walter at hp-factory.de>:
>> 2008/12/4 <simon.walter at hp-factory.de>:
>>>> Simon Walter wrote on Wed, 03 Dec 2008 23:46:46 +0100:
>>>>> MX invalid
>>>>> I don't know what's causing this...
>>>> The answer is here. Your MX is a CNAME.
>>> which points to an A record...
>>> ... like CNAMEs are dangerous.
>> So ...? They aren't allowed for MXs.
>
> Didn't know that, but the RFC seems quite clear on this.
>
>
>> One could likely say pretty much the same about the "scary
>> tmp/symlink" things:-). One thing to note... If you run something that
>> don't run as root, the vulnerability is more or less completely
>> nullified. So we PF users are safe from our users, AFAICS:-).
>> Or was there more to the attack vector than that?
>
> Running MailScanner or anything else as root is the worst-case-scenario
> for the "scary tmp/symlink" thing. If you don't run it as root you run
> probably run it as a user who has access to the mailserver spool-directory
> and I'm certain you don't want any other user be able to gain this
> privileg.
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5313
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5312
>
Yes, I do agree that you can make MailScanner do silly things with
this. But it isn't an attack vector to "bypass" any file level
security though. You can make it "shit" where it eats, or fubar any
file the Run As user has write permissions for, but you cannot really
make it "write arbitrary data"... Anyway, that is neither here nor
there.
To make these "go away"... I suppose one would either need do
- priv separation and jailing (complex, pesky...:-), or
- Not use tmp space (or rather ... commonly writable directories)...
Might be workable, or
- safeguard against uses of symlinks for these files. A simple stat
would likely be all needed... In a myriad places:-). And some clever
way to ... fail... or amend the situation.
Oh well. I suppose Jules will know what to do ... or not do... once he
feels up to it.
Cheers
--
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
More information about the MailScanner
mailing list