From owner-freebsd-security  Mon Apr 17 18:44:50 2000
Delivered-To: freebsd-security@freebsd.org
Received: from attrition.dynamine.net (dnai-216-15-97-113.cust.dnai.com [216.15.97.113])
	by hub.freebsd.org (Postfix) with ESMTP
	id 35BDF37B8FD; Mon, 17 Apr 2000 18:44:48 -0700 (PDT)
	(envelope-from michael@dynamine.net)
Received: from lucretia (host1.auctionwatch.com [64.14.25.32])
	by attrition.dynamine.net (8.9.3/8.9.3) with SMTP id SAA28108;
	Mon, 17 Apr 2000 18:44:46 -0700
Message-ID: <00ae01bfa8d7$ad5188a0$7f00800a@corp.auctionwatch.com>
From: "Michael S. Fischer" <michael@dynamine.net>
To: "Kris Kennaway" <kris@FreeBSD.org>
Cc: <security@FreeBSD.org>
References: <Pine.BSF.4.21.0004171830370.95722-100000@freefall.freebsd.org>
Subject: Re: Fw:      Re: imapd4r1 v12.264
Date: Mon, 17 Apr 2000 18:44:46 -0700
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2919.6600
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, 17 Apr 2000, Kris Kennaway wrote:
>
> > On Mon, 17 Apr 2000, Michael S. Fischer wrote:
> >
> > > This is the current version in the ports collection.  Help!
> >
> > Briefly, the vulnerability seems to be that someone who has a mail
account
> > on the server can get access to the user account which runs imapd. I
don't
> > think it's something that can be exploited by an outsider, so it might
be
> > that in your environment the threat is not significant.
>
> According to the message I just read on bugtraq by the vendor, it doesn't
> seem to be as bad as I described it above: imapd has dropped privileges by
> the time it hits the vulnerability, so exploiting it will only give access
> to the shell account of the user who has logged in to imap. This may still
> be a problem in some installations, i.e. if they don't provide shell
> access to their mail users on the imap server.
>
> Note that I haven't heard independent confirmation of the above, so it's
> subject to revision :-)

Are you saying that remotely giving access to the user's account isn't bad
enough?  In my environment, certain users have sudo access...

--Michael




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message