Sendmail RCPT TO Command Arbitrary File Overwrite

critical Nessus Plugin ID 10259

Synopsis

The remote SMTP server is vulnerable to authentication bypass.

Description

The remote SMTP server did not complain when issued the command :
MAIL FROM: root@this_host RCPT TO: /tmp/nessus_test

This probably means that it is possible to send mail directly to files, which is a serious threat, since this allows anyone to overwrite any file on the remote server.

*** This security hole might be a false positive, since
*** some MTAs will not complain to this test, but instead
*** just drop the message silently.
*** Check for the presence of file 'nessus_test' in /tmp !

Solution

This plugin tests for a generic condition.
It may be remedied by upgrading, reconfiguring, or changing your SMTP Server (MTA).

Plugin Details

Severity: Critical

ID: 10259

File Name: smtp_file.nasl

Version: Revision: 1.33

Type: remote

Published: 8/30/1999

Updated: 12/9/2016

Supported Sensors: Nessus

Risk Information

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

Excluded KB Items: SMTP/wrapped, SMTP/qmail, SMTP/postfix, SMTP/microsoft_esmtp_5