SMTP > Write to File

[Bart decker]

I have a question about a security flaw . One of my servers seem to send mail directly to any file on the system .
Mail from:Bladiebla@com.com
Rcpt to:/etc/passwd
data

the data
.

How can i disable the mailserver from doing this ?
Don't think it is easily exploitable , wouldn't know which files to change to get > telnet running > ftp running or so

any advice appreciated

[phishphreek]

Correct me if I'm wrong... but if the mail is writing to /etc/passwd

Why couldn't one just send a properly formatted e mail to that account with user id and password information?

Then the user who sent the e mail will have a user id and password...

No need for one to be added by an admin or root.

To stop it from writing there... why not change the permissions?

[detoxsmurf]

Have you thought about doing an strace -o to see get a look at what the SMTP process is doing. I have never seen anything like this happen unless there was some sort of inode error involved.

[Bart decker]

I found the problem when scanning the server with Nessus . It told me it was possible to write to any file on the system using this ""technique"" .
And it worked 4me . I thought it was impossible to write to /etc/passwd when just telnetting into the smtp server and sent the data to the /etc/passwd .
The telnet session is with an anonymous user ..isn't it ?

[detoxsmurf]

On my linux-mandrake server the passwd and shadow files are both owned by root. The passwd file is chmoded to 644 and the shadow file is 600. I never knew that an anonymous user could write to the /etc/passwd file. Perhaps if you modify the anonymous users virtual root, that would correct this issue.