SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   sSMTP Vendors:   Collier-Brown, David et al
sSMTP Unsafe Temporary File Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1009883
SecurityTracker URL:  http://securitytracker.com/id/1009883
CVE Reference:   CVE-2004-0423   (Links to External Site)
Updated:  Apr 30 2004
Original Entry Date:  Apr 20 2004
Impact:   Modification of system information, Modification of user information, Root access via local system, User access via local system
Exploit Included:  Yes  
Version(s): 2.50.6
Description:   A vulnerability was reported in sSMTP. A local user can gain elevated privileges.

priest at priestmaster.org reported that the software creates a temporary file ('/tmp/ssmtp.log') in an unsafe manner. A local user can create a symbolic link (symlink) from a critical file on the system to this temporary file and then cause sSMTP to write arbitrary data to symlinked file. The symlinked file will be overwritten with the privileges of the sSMTP process, which is reported to be root privileges in typical installation.

Impact:   A local user can modify files with the privileges of the sSMTP process, allowing the local user to gain the privileges of the process.
Solution:   No solution was available at the time of this entry.
Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Apr 27 2004 (Gentoo Issues Fix) sSMTP Unsafe Temporary File Lets Local Users Gain Elevated Privileges
Gentoo has released a fix.



 Source Message Contents

Subject:  ssmtp insecure file creation


 Hi,

ssmtp 2.50.6 create a logfile /tmp/ssmtp.log. The data in this logfile
is user specified. It's possible to overwrite any file with
the permissons of the ssmtp program (normally root). The
vulnerable call is in log_event. log_event vulnerable call:

#ifdef LOGFILE
        if((fp = fopen("/tmp/ssmtp.log", "a")) != (FILE *)NULL) {
                (void)fprintf(fp, "%s\\n", buf);
                (void)fclose(fp);

I think, that all versions of ssmtp are vulnerable to this bug.

Have a nice day,

priest@priestmaster.org
http://www.priestmaster.org

--
Ein Service von http://www.sms.at

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC