Home page logo

bugtraq logo Bugtraq mailing list archives

MUAs that delete spoolfiles (was Solaris /usr/bin/mailx exploit (SPARC))
From: Rich Lafferty <rich () alcor concordia ca>
Date: Tue, 15 May 2001 17:00:43 -0400

On Tue, May 15, 2001 at 02:15:45PM +0100, Andrew Hilborne (andrew.hilborne () uk xo com) wrote:

(At least not if you /var/mail directory has the standard 1777 permissions)

By forcing a file permission of 600 on mailboxes, group mail should not
gain you anything.

Just how do you force 0600 on mailboxes which don't exist (many MUAs remove
empty mailboxes?)

If that's true, then even *without* this particular bug in Solaris,
there's an icky denial of service attack waiting to happen. Sticky
mailspools are awfully common these days, and all that stops Bob from

  touch /var/spool/mail/alice

and causing the MTA to refuse to deliver is that Alice's mailbox
should never *not* be there in the first place. 

Which MUAs behave in the way you describe?
Since you cannot easily do this, at the very least a malicious user should be
able to steal other users' mail. I think.

If they can, then *that's* a flaw in the MTA, which should never
deliver into something that isn't owned by the recipient.


------------------------------ Rich Lafferty ---------------------------
 Sysadmin/Programmer, Instructional and Information Technology Services
   Concordia University, Montreal, QC                 (514) 848-7625
------------------------- rich () alcor concordia ca ----------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]