[mdk-re] Nessus results

[Dmitry V. Levin]

Greetings!

On Fri, Jun 22, 2001 at 12:29:24PM +0400, Artem Pastuchov wrote:
> Я тут прошелся сабжем по свежепоставленному спрингу ,
> и ему очень не понравился postfix :

<skip>

> The remote SMTP server did not complain when issued the
> command :
>  MAIL FROM: root на this_host
>  RCPT TO: |testing
> 
> This probably means that it is possible to send mail directly
> to programs, which is a serious threat, since this allows
> anyone to execute arbitrary command on this host.
> 
> NOTE : ** This security hole might be a false positive, since
>  some MTAs will not complain to this test, and instead will
>  just drop the message silently **

date server postfix/local[pid]: id: to=<|testing на server>, relay=local, delay=1, status=bounced (unknown user: "|testing")

> The remote SMTP server did not complain when issued the
> command :
>  MAIL FROM: |testing
> 
> This probably means that it is possible to send mail 
> that will be bounced to a program, which is 
> a serious threat, since this allows anyone to execute 
> arbitrary command on this host.
> 
> NOTE : ** This security hole might be a false positive, since
>  some MTAs will not complain to this test, but instead
>  just drop the message silently **

см. предыдущий лог.

> The remote SMTP server did not complain when issued the
> command :
>  MAIL FROM: root на this_host
>  RCPT TO: /tmp/nessus_test
> 
> This probably means that it is possible to send mail directly
> to files, which is a serious threat, since this allows
> anyone to overwrite any file on the remote server.
> 
> NOTE : ** This security hole might be a false positive, since
>  some MTAs will not complain to this test and will
>  just drop the message silently. Check for the presence
>  of file 'nessus_test' in /tmp ! **

date server postfix/local[pid]: id: to=</tmp/nessus_test на server>, relay=local, delay=1, status=bounced (unknown user: "/tmp/nessus_test")

> The remote STMP server seems to allow remote users to
> send mail anonymously by providing a too long argument
> to the HELO command (more than 1024 chars).
> 
> This problem may allow bad guys to send hate
> mail, or threatening mail using your server
> and keep their anonymity.

> Насколько это опасно ?

Resume: Неумение пользоваться security scaner'aми.

Risk factor : High.

Solution : Учиться, учиться, учиться, ... :)

> P.s.
> 
> В сегодняшнем bugtraq был найден баг 
> fetchmail buffer owerflow

Последние сообщения в BUGTRAQ про fetchmail касались довольно старых
версий, более старых, чем та, которая вошла в Spring. Впрочем, за
последние 10 дней вышло уже 3 версии fetchmail, исправляющие разные
buffer overrun'ы. Боюсь, что на этом история не
закончилась. :(
Так что проявляйте осторожность в использовании fetchmail.
Никогда не запускайте его под рутом.
Как только ситуация устаканится, будет обновление в updates.


Regards,
	Dmitry

+-------------------------------------------------------------------------+
Dmitry V. Levin     mailto://ldv@alt-linux.org
ALT Linux Team      http://www.altlinux.ru/
Fandra Project      http://www.fandra.org/
+-------------------------------------------------------------------------+
UNIX is user friendly. It's just very selective about who its friends are.
----------- следующая часть -----------
Было удалено вложение не в текстовом формате...
Имя     : =?iso-8859-1?q?=CF=D4=D3=D5=D4=D3=D4=D7=D5=C5=D4?=
Тип     : application/pgp-signature
Размер  : 232 байтов
Описание: =?iso-8859-1?q?=CF=D4=D3=D5=D4=D3=D4=D7=D5=C5=D4?=
Url     : <http://lists.altlinux.org/pipermail/community/attachments/20010622/1cc27c72/attachment-0011.bin>