Bugzilla – Bug 988
CVE-2010-2023 - vulnerability with world-writable sticky mbox mail directory
Last modified: 2011-05-19 12:37:45 UTC
[Copied from original notification email and followups] When Exim is used with a world-writable mail directory with the sticky-bit set, local users may create hard links to other non-root users' files at the expected location of those users' mailboxes, causing their files to be written to upon mail delivery. This could be used to create denial-of-service conditions or potentially escalate privileges to those of targeted users. This issue has been assigned CVE-2010-2023. [...] Let me know if you have any questions about these issues, or have any problems with the patch. Even though neither of these two vulnerabilities affects many downstream distributions by default (since sticky-bit mail directories are becoming more rare and MBX locking isn't used by many distributions), I'd like to publish an advisory for these issues independently once you have released a fix. I'd appreciate it if you kept me posted on any progress in regards to these issues. [Followup message] For the first issue, it's not a matter of reading a user's mail, but causing mail deliveries to that user to overwrite other files owned by that user. For example, if we use your example of victim "foo" and attacker "bar", where "foo" has no mailbox, "bar" can create a hardlink to another one of foo's files, such as /home/foo/.bashrc. Subsequent mail delivery will append to this file, allowing an attacker to append information to other users' files.
CVS commit by nm4: Prevent hardlink attack on mbox sticky mail directory. fixes: bug #988 --- CVS commit summary --- 1.607 1.608 +3 -0 - exim/exim-doc/doc-txt/ChangeLog 1.24 1.25 +12 -0 - exim/exim-src/src/transports/appendfile.c