Quoting John Steniger ([EMAIL PROTECTED]):
> Running a network test against my recent qmail installation, I get reports
> on the mailto programs hole, which allows users to telnet to port 25 and
> issue:
>
> MAIL FROM: root@this_host
> RCPT: <any program>
Huh. I've never heard of this exploit! Now, that doesn't mean the
exploit doesn't exist, or didn't, at some particular time, regarding
some particular MTA. I could believe sendmaul would have an exploit
like that. heh.
> This allows users to potentially execute any command with root authority.
> The warning came with the caveat that this may not be an issue, as some
> MTA's simply drop these messages silently.
It's probably assuming that since qmail didn't return an error code
that it could be vulnerable. That's not relevent with qmail since, as
you know, stock qmail will accept all messages unless some other rule
blocks you, i.e. badmailfrom.
> Does anyone know how qmail handles this? Is this an issue with qmail, or is
> qmail one of the exceptions?
qmail would not be vulnerable to any exploit like that unless you made
yourself vulnerable, and most would argue that you then not classify
it as a qmail vulnerability. Perhaps you have "| hackme" in
~alias/.qmail-hackme, so a rcpt to:<hackme> gets you in trouble. Of
course hackme will only run as user alias unless its setuid something,
so program deliveries are limited unless you or your software really
goof up.
qmail doesn't deliver to root, so nothing in ~root/.qmail can get you
clobbered, either.
good luck,
Aaron
