SMTP > Write to File
Results 1 to 5 of 5

Thread: SMTP > Write to File

  1. #1
    Junior Member
    Join Date
    Nov 2001
    Posts
    3

    SMTP > Write to File

    I have a question about a security flaw . One of my servers seem to send mail directly to any file on the system .
    Mail from:Bladiebla@com.com
    Rcpt to:/etc/passwd
    data

    the data
    .

    How can i disable the mailserver from doing this ?
    Don't think it is easily exploitable , wouldn't know which files to change to get > telnet running > ftp running or so

    any advice appreciated

  2. #2
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Correct me if I'm wrong... but if the mail is writing to /etc/passwd

    Why couldn't one just send a properly formatted e mail to that account with user id and password information?

    Then the user who sent the e mail will have a user id and password...

    No need for one to be added by an admin or root.

    To stop it from writing there... why not change the permissions?
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  3. #3
    Senior Member
    Join Date
    Jul 2002
    Posts
    167
    Have you thought about doing an strace -o to see get a look at what the SMTP process is doing. I have never seen anything like this happen unless there was some sort of inode error involved.

  4. #4
    Junior Member
    Join Date
    Nov 2001
    Posts
    3
    I found the problem when scanning the server with Nessus . It told me it was possible to write to any file on the system using this ""technique"" .
    And it worked 4me . I thought it was impossible to write to /etc/passwd when just telnetting into the smtp server and sent the data to the /etc/passwd .
    The telnet session is with an anonymous user ..isn't it ?

  5. #5
    Senior Member
    Join Date
    Jul 2002
    Posts
    167
    On my linux-mandrake server the passwd and shadow files are both owned by root. The passwd file is chmoded to 644 and the shadow file is 600. I never knew that an anonymous user could write to the /etc/passwd file. Perhaps if you modify the anonymous users virtual root, that would correct this issue.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •