cyrus With postfix and Procmail Remote Shell Expansion Vulnerabilities
BID:1428
Info
cyrus With postfix and Procmail Remote Shell Expansion Vulnerabilities
| Bugtraq ID: | 1428 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Jul 05 2000 12:00AM |
| Updated: | Mar 19 2015 09:35AM |
| Credit: | This vulnerability was posted to the Bugtraq mailing list on July 5, 2000 by John Pettitt <[email protected]> |
| Vulnerable: |
Cmu Cyrus 1.6 |
| Not Vulnerable: | |
Discussion
cyrus With postfix and Procmail Remote Shell Expansion Vulnerabilities
A vulnerability exists in one method in which the cyrus IMAP server can be made to work with the Postfix MTA. By failing to check the contents of certain user supplied fields, its possible to cause procmail to execute shell backtick expansion (``), allowing the execution of arbitrary commands as the cyrus user.
This does not represent a vulnerability in cyrus, procmail or postfix, but instead a vulnerability in one method for integrating these tools.
A vulnerability exists in one method in which the cyrus IMAP server can be made to work with the Postfix MTA. By failing to check the contents of certain user supplied fields, its possible to cause procmail to execute shell backtick expansion (``), allowing the execution of arbitrary commands as the cyrus user.
This does not represent a vulnerability in cyrus, procmail or postfix, but instead a vulnerability in one method for integrating these tools.
Exploit / POC
cyrus With postfix and Procmail Remote Shell Expansion Vulnerabilities
Sending mail to a cyrus mailbox from `touch /tmp/vulnerable`@foo.com will cause a file to be created in /tmp named vulnerable.
Sending mail to a cyrus mailbox from `touch /tmp/vulnerable`@foo.com will cause a file to be created in /tmp named vulnerable.
Solution / Fix
cyrus With postfix and Procmail Remote Shell Expansion Vulnerabilities
Solution:
Currently the SecurityFocus staff are not ware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
The author of the Bugtraq post on this vulnerability suggested creating the following delivery rule:
:0
*$ ! $MAILTO ?? .*[A-ZA-z0-9\-_]?
/tmp/bad
#or /dev/null according to taste
Additional methods for solving/working around this problem are presented in the credits section.
Solution:
Currently the SecurityFocus staff are not ware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
The author of the Bugtraq post on this vulnerability suggested creating the following delivery rule:
:0
*$ ! $MAILTO ?? .*[A-ZA-z0-9\-_]?
/tmp/bad
#or /dev/null according to taste
Additional methods for solving/working around this problem are presented in the credits section.