Re: [exim-dev] [Bug 2118] sendmail -be and ${run} macro security problem

2017-05-16 Thread Jasen Betts
On 2017-05-09, Andrew C Aitchison wrote: > On Tue, 9 May 2017, ad...@bugs.exim.org wrote: > >> https://bugs.exim.org/show_bug.cgi?id=2118 >> >> Jasen Betts changed: >> >> What|Removed |Added >>

[exim-dev] [Bug 2118] sendmail -be and ${run} macro security problem

2017-05-09 Thread admin
https://bugs.exim.org/show_bug.cgi?id=2118 --- Comment #9 from Sandor Takacs --- (In reply to Phil Pennock from comment #8) > A stance and a code change by Exim. > > (1) This is not a vulnerability in Exim. Exim trusts the local user to be > allowed access to their own

[exim-dev] [Bug 2118] sendmail -be and ${run} macro security problem

2017-05-09 Thread admin
https://bugs.exim.org/show_bug.cgi?id=2118 Phil Pennock changed: What|Removed |Added CC||p...@exim.org

[exim-dev] [Bug 2118] sendmail -be and ${run} macro security problem

2017-05-09 Thread admin
https://bugs.exim.org/show_bug.cgi?id=2118 Phil Pennock changed: What|Removed |Added Priority|critical|medium -- You are receiving this

[exim-dev] [Bug 2118] sendmail -be and ${run} macro security problem

2017-05-09 Thread admin
https://bugs.exim.org/show_bug.cgi?id=2118 Phil Pennock changed: What|Removed |Added Assignee|ni...@exim.org |p...@exim.org -- You are

Re: [exim-dev] [Bug 2118] sendmail -be and ${run} macro security problem

2017-05-09 Thread Andrew C Aitchison
On Tue, 9 May 2017, ad...@bugs.exim.org wrote: https://bugs.exim.org/show_bug.cgi?id=2118 Jasen Betts changed: What|Removed |Added CC|

[exim-dev] [Bug 2118] sendmail -be and ${run} macro security problem

2017-05-09 Thread admin
https://bugs.exim.org/show_bug.cgi?id=2118 Jasen Betts changed: What|Removed |Added CC||ja...@treshna.com --- Comment

Re: [exim-dev] [Bug 2118] sendmail -be and ${run} macro security problem

2017-05-07 Thread Heiko Schlittermann via Exim-dev
Viktor Dukhovni (Sa 06 Mai 2017 01:33:17 CEST): > > One workaround would be to only process "-be" when invoked as "exim", ... > and not when the last path component argv[0] is "sendmail". I'm working on a "sendmail" to be shipped with Exim, replacing the current

Re: [exim-dev] [Bug 2118] sendmail -be and ${run} macro security problem

2017-05-07 Thread Viktor Dukhovni
> On May 7, 2017, at 3:08 PM, ad...@bugs.exim.org wrote: > > Maybe it would be possible to avoid accepting further command line arguments > after “-f“, but that doesn't seem sufficiently backwards-compatible. No, but behaving like a minimal sendmail(1)-compatible CLI when argv[0] ends in

[exim-dev] [Bug 2118] sendmail -be and ${run} macro security problem

2017-05-07 Thread admin
https://bugs.exim.org/show_bug.cgi?id=2118 Florian Weimer changed: What|Removed |Added CC||f...@deneb.enyo.de ---

Re: [exim-dev] [Bug 2118] sendmail -be and ${run} macro security problem

2017-05-05 Thread Viktor Dukhovni
> On May 5, 2017, at 5:41 PM, Andrew C Aitchison wrote: > > On Fri, 5 May 2017, ad...@bugs.exim.org wrote: > >> https://bugs.exim.org/show_bug.cgi?id=2118 >> >> --- Comment #5 from Heiko Schlittermann --- >> (In reply to Sandor Takacs from

Re: [exim-dev] [Bug 2118] sendmail -be and ${run} macro security problem

2017-05-05 Thread Andrew C Aitchison
On Fri, 5 May 2017, ad...@bugs.exim.org wrote: https://bugs.exim.org/show_bug.cgi?id=2118 --- Comment #5 from Heiko Schlittermann --- (In reply to Sandor Takacs from comment #0) I found this WordPress + Exim remote code execution exploit on exploit-db site. It uses

[exim-dev] [Bug 2118] sendmail -be and ${run} macro security problem

2017-05-05 Thread admin
https://bugs.exim.org/show_bug.cgi?id=2118 --- Comment #5 from Heiko Schlittermann --- (In reply to Sandor Takacs from comment #0) > I found this WordPress + Exim remote code execution exploit on exploit-db > site. It uses "exim -be '${run...}'" to place payload on the

[exim-dev] [Bug 2118] sendmail -be and ${run} macro security problem

2017-05-05 Thread admin
https://bugs.exim.org/show_bug.cgi?id=2118 Heiko Schlittermann changed: What|Removed |Added CC|

[exim-dev] [Bug 2118] sendmail -be and ${run} macro security problem

2017-05-05 Thread admin
https://bugs.exim.org/show_bug.cgi?id=2118 --- Comment #3 from Jeremy Harris --- You've created a file. In a place you're allowed to create files. Where's the remote shell? What attacked site? -- You are receiving this mail because: You are on the CC list for the bug.

[exim-dev] [Bug 2118] sendmail -be and ${run} macro security problem

2017-05-05 Thread admin
https://bugs.exim.org/show_bug.cgi?id=2118 --- Comment #2 from Sandor Takacs --- If you run this as www-data you can create a remote shell to the attacked site as the linked PoC says. I tried it im my FreeBSD box: [r...@alkoholista.hu ~]# ls -l /tmp/test ls: /tmp/test: No

[exim-dev] [Bug 2118] sendmail -be and ${run} macro security problem

2017-05-05 Thread admin
https://bugs.exim.org/show_bug.cgi?id=2118 --- Comment #1 from Jeremy Harris --- Please explain why this is a problem? If you can run commands you can do stuff, yes. Just like being able to run, say, "dd". What you can write still depends on who you are and what

[exim-dev] [Bug 2118] sendmail -be and ${run} macro security problem

2017-05-05 Thread admin
https://bugs.exim.org/show_bug.cgi?id=2118 Sandor Takacs changed: What|Removed |Added CC||t...@alkoholista.hu