HPE Community
Operating System - HP-UX
1835342 Members
2654 Online
110078 Solutions
New Discussion

Can .forward execute code?

 
Daniel M. Gonzales
Frequent Advisor

‎07-10-2006 02:56 AM

‎07-10-2006 02:56 AM

Can .forward execute code?

Working on a security cleanup assignment. Heard mention that the UNIX .forward file can be used to execute code, acting like a back door. Does anyone know if this applies to HP-UX?
0 Kudos
Reply
4 REPLIES 4
Steven E. Protter
Exalted Contributor

‎07-10-2006 02:58 AM

‎07-10-2006 02:58 AM

Re: Can .forward execute code?

Shalom,

It does not execute code.

It can forward a users mail from his/her home directory to anywhere and can be used maliciously to relay spam. It should have tight permissions on it if it exists at all.

It certainly should not have execute rights, or it could be modified to be a shell script that does execute code.

It is much better to handle sendmail forwarding in the /etc/aliases file or in virtusertables genericstables which are controlled and owned by root.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

‎07-10-2006 02:59 AM

‎07-10-2006 02:59 AM

Re: Can .forward execute code?

Hi Daniel:

The potential relates to the '.forward' file for UNIX in general.

Regards!

...JRF...
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎07-10-2006 08:09 AM

‎07-10-2006 08:09 AM

Re: Can .forward execute code?

The file /etc/mail/aliases and .forward have similar capabilities. The .forward file itself does not execute but it may contain directives such as: pipe mail to this script, and is exactly how you can filter or process email automatically as it is received. It's not exactly a backdoor since /etc/mail/aliases is owned by root and not writable by ordinary users. A user can place a .forward in their $HOME directory but the script will only run if the delivery process can run the script or program. This is likely where a security scan would be centered:

ll /home/*/.forward

If you grep for the | (pipe) symbol in aliases and .forward files, you will see any automated mail handling. Also look for procmail as another way to handle incoming email.


Bill Hassell, sysadmin
0 Kudos
Reply
Ron Cohen
New Member

‎07-14-2006 01:08 AM

‎07-14-2006 01:08 AM

Re: Can .forward execute code?

yes. you can use .forward to invoke commands via pipes. once encountered a user which use this future to invoke backdoor by sending mail with a triggering word.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.