TUCoPS :: Windows Apps :: tnef~1.txt

Tnef Remote Root compromise 

COMMAND

    tnef

SYSTEMS AFFECTED

    tnef < 0-124

PROBLEM

    Tnef extracts eMails compressed  with MS-Outlook.  The  compressed
    file includes the path name to which the decompressed data  should
    be written.

    By specifing a path name like /etc/passwd and sending a compressed
    mail  to  root  an  adversary  could  gain remote root access to a
    system by overwriting the local password database.  The same could
    happen if a mail virus scanner, like AMaVIS, process' a  malicious
    mail.

    TNEF  support  was  added  to  AMaViS 0.2.0-pre6-clm-rl-8-20000604
    (previous versions are therefore *not* affected), but AMaViS  does
    not run as root  when used with qmail,  exim and postfix.   AMaViS
    is run as root, when used  with sendmail and AMaViS is called  via
    Mlocal.  AMaViS may not run  as root, when used with sendmail  and
    the new relay scanning setup for AMaViS (--enable-relay).

SOLUTION

    It's also possible to use the  '-x' option of tnef to specify  the
    outputfile.

    For SuSE Linux:

        ftp://ftp.suse.com/pub/suse/axp/update/6.3/ap1/tnef-0-124.alpha.rpm
        ftp://ftp.suse.com/pub/suse/axp/update/6.3/zq1/tnef-0-124.src.rpm

        ftp://ftp.suse.com/pub/suse/axp/update/6.4/ap1/tnef-0-124.alpha.rpm
        ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/tnef-0-124.src.rpm


        ftp://ftp.suse.com/pub/suse/i386/update/6.3/ap1/tnef-0-124.i386.rpm
        ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/tnef-0-124.src.rpm

        ftp://ftp.suse.com/pub/suse/i386/update/6.4/ap1/tnef-0-124.i386.rpm
        ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/tnef-0-124.src.rpm


        ftp://ftp.suse.com/pub/suse/ppc/update/6.3/ap1/tnef-0-124.ppc.rpm
        ftp://ftp.suse.com/pub/suse/ppc/update/6.3/zq1/tnef-0-124.src.rpm

        ftp://ftp.suse.com/pub/suse/ppc/update/6.4/ap1/tnef-0-124.ppc.rpm
        ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/tnef-0-124.src.rpm

    A  fix  for  this  possible  security  hole was provided in AMaViS
    0.2.0-pre6-clm-rl-8-20000704. It's available at

        http://sourceforge.net/projects/amavis
        http://cvsweb.amavis.org/
        http://www.computer-networking.de/~link/security/amavis-patch.php3#latest_sources

    It  is  recommended  to  use  Mark  Simpson's  TNEF which does not
    suffer from this security problem, as it supportes the -d flag  to
    extract files to a specific directory.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH