Printable View
I have a question about a security flaw . One of my servers seem to send mail directly to any file on the system .
Mail from:[email protected]
Rcpt to:/etc/passwd
data
the data
.
How can i disable the mailserver from doing this ?
Don't think it is easily exploitable , wouldn't know which files to change to get > telnet running > ftp running or so
any advice appreciated
Correct me if I'm wrong... but if the mail is writing to /etc/passwd
Why couldn't one just send a properly formatted e mail to that account with user id and password information?
Then the user who sent the e mail will have a user id and password...
No need for one to be added by an admin or root.
To stop it from writing there... why not change the permissions?
Have you thought about doing an strace -o to see get a look at what the SMTP process is doing. I have never seen anything like this happen unless there was some sort of inode error involved.
I found the problem when scanning the server with Nessus . It told me it was possible to write to any file on the system using this ""technique"" .
And it worked 4me . I thought it was impossible to write to /etc/passwd when just telnetting into the smtp server and sent the data to the /etc/passwd .
The telnet session is with an anonymous user ..isn't it ?
On my linux-mandrake server the passwd and shadow files are both owned by root. The passwd file is chmoded to 644 and the shadow file is 600. I never knew that an anonymous user could write to the /etc/passwd file. Perhaps if you modify the anonymous users virtual root, that would correct this issue.