Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Unix :: General :: tnef-1.htm

Tnef File overwrite vulnerability



    tnef < 0-124


    Tnef extracts eMails compressed  with MS-Outlook.  The  compressed
    file includes the path name to which the decompressed data  should
    be written.

    By specifing a path name like /etc/passwd and sending a compressed
    mail  to  root  an  adversary  could  gain remote root access to a
    system by overwriting the local password database.  The same could
    happen if a mail virus scanner, like AMaVIS, process' a  malicious

    TNEF  support  was  added  to  AMaViS 0.2.0-pre6-clm-rl-8-20000604
    (previous versions are therefore *not* affected), but AMaViS  does
    not run as root  when used with qmail,  exim and postfix.   AMaViS
    is run as root, when used  with sendmail and AMaViS is called  via
    Mlocal.  AMaViS may not run  as root, when used with sendmail  and
    the new relay scanning setup for AMaViS (--enable-relay).


    It's also possible to use the  '-x' option of tnef to specify  the

    For SuSE Linux:

    A  fix  for  this  possible  security  hole was provided in AMaViS
    0.2.0-pre6-clm-rl-8-20000704. It's available at

    It  is  recommended  to  use  Mark  Simpson's  TNEF which does not
    suffer from this security problem, as it supportes the -d flag  to
    extract files to a specific directory.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH