[exim-dev] [Bug 988] New: CVE-2010-2023 - vulnerability with…

Top Page
Delete this message
Reply to this message
Author: Nigel Metheringham
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 988] New: CVE-2010-2023 - vulnerability with world-writable sticky mbox mail directory
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=988
           Summary: CVE-2010-2023 - vulnerability with world-writable sticky
                    mbox mail directory
           Product: Exim
           Version: 4.71
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: security
          Priority: high
         Component: Delivery in general
        AssignedTo: nigel@???
        ReportedBy: nigel@???
                CC: exim-dev@???, dan.j.rosenberg@???



[Copied from original notification email and followups]

When Exim is used with a world-writable mail directory with the
sticky-bit set, local users may create hard links to other non-root
users' files at the expected location of those users' mailboxes,
causing their files to be written to upon mail delivery. This could
be used to create denial-of-service conditions or potentially escalate
privileges to those of targeted users. This issue has been assigned
CVE-2010-2023.

[...]
Let me know if you have any questions about these issues, or have any
problems with the patch. Even though neither of these two
vulnerabilities affects many downstream distributions by default
(since sticky-bit mail directories are becoming more rare and MBX
locking isn't used by many distributions), I'd like to publish an
advisory for these issues independently once you have released a fix.
I'd appreciate it if you kept me posted on any progress in regards to
these issues.

[Followup message]

For the first issue, it's not a matter of reading a user's mail, but
causing mail deliveries to that user to overwrite other files owned by
that user. For example, if we use your example of victim "foo" and
attacker "bar", where "foo" has no mailbox, "bar" can create a
hardlink to another one of foo's files, such as /home/foo/.bashrc.
Subsequent mail delivery will append to this file, allowing an
attacker to append information to other users' files.


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email