decoded aliases & Aliases with Pipes in sendmail.cf

chicuks · ‎10-04-2009

hi,

could somebody give me an idea on decoded aliases & alises with pipes in /etc/mail/aliases

why is it a security threat if present??

How could find these decoded aliases & pipes..any command ??

regards,
chicuks

Patrick Wallek · ‎10-04-2009

A quick google search of "sendmail decoded alises" yields:

http://www.faqs.org/docs/securing/chap22sec183.html

http://chargen.matasano.com/chargen/2009/5/6/this-old-vulnerability-sendmail-decode-alias.html

http://osvdb.org/show/osvdb/196

The theory behind the aliases with pipes is the same as the 'decode' alias since it pipes a message to a command.

You find these by looking in your /etc/mail/aliases file.

James R. Ferguson · ‎10-04-2009

Hi:

The problem that you are asking about involves the '/etc/mail/aliases' and '${HOME}/.forward' files used with 'sendmail' and cousins. These files are not executed, but they may contain piped commands that ARE executed.

For example, creating a '.forward' file in the users ${HOME} directory is one way of setting up email forwarding.

Keep the permissions of the '.forward' file writable ONLY to its owner, though. To do otherwise is a security-hole since if I can write entries into your 'foward' file, then I can insert insidious scripts into it, like this piped open:

| /tmp/mybadthing

The above line in your '.forward' file would cause my '/tmp/mybadthing' to run, which might not be a good thing :-))

You could look for piped opens '|' in your configuration files --- 'foward' and alias files.

Regards!

...JRF...

James R. Ferguson · ‎10-04-2009

Hi (again):

> How could find these decoded aliases & pipes..any command ??

I inferred the answer to this, but I suspect you need a more direct reply.

You could 'grep' for the pipe symbol. For example:

# find /home -type f -name .forward -exec grep '|' {} +

This assumes that your user's $(HOME) directories reside in '/home'. You should really parse your '/etc/passwd' file to find all paths to HOME directories.

Regards!

...JRF...

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

decoded aliases & Aliases with Pipes in sendmail.cf

decoded aliases & Aliases with Pipes in sendmail.cf

Re: decoded aliases & Aliases with Pipes in sendmail.cf

Re: decoded aliases & Aliases with Pipes in sendmail.cf

Re: decoded aliases & Aliases with Pipes in sendmail.cf