Forging with the Queue Directory
All versions of sendmail trust the files in the mail queue. They assume that only sendmail has placed files there. As a consequence, a poorly protected queue directory can allow the attacker to create mail that looks 100% authentic. This can be used to send forged mail, to append to system-critical files, or to run arbitrary programs as root or other users. Consider the following bogus qfl0NFMs3g016812 file for sending forged mail (qf files are described in The qf File Internals on page 445):
V8 T829313834 N0 P943442 Fs $_root@yourhost S<root@yourhost> RPFD:george@yourhost H?P?return-path: <root@yourhost> Hmessage-id: <200712141257.l0NFSKNK016837@yourhost> HFrom: root@yourhost HDate: Thu, 14 Dec 2007 05:47:46 −0800 HTo: george@yourhost HSubject: Change your Password Now!!
This qf file causes
mail to be sent to george that
appears in all ways to come from
root. There is nothing in
this qf file to
indicate to the recipient (or to
sendmail) that the message is
not authentic. Now further suppose that the df file (the message
body) contains the following text:
The system has been compromised. Change your password NOW!
Your new password must be:
Fuzz7bal
Thank you,
—System AdministrationUnfortunately, in any large organization there will be more than a few users who will obey a message such as this. They will gladly change their password to one assigned to them, thereby providing the attacker with easy access to their accounts.
The queue directory must be ...
Get sendmail, 4th Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
