Vigil@nce - procmail: file reading via TZ
February 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can set the TZ environment variable before
sending an email calling procmail, in order to force the opening
of a file, or a denial of service if this file is blocking.
Impacted products: Unix (platform)
Severity: 1/4
Creation date: 13/02/2015
DESCRIPTION OF THE VULNERABILITY
The procmail program is called to manage received emails.
The procmail program filters environment variables which are
potentially dangerous. However, procmail keeps the TZ variable,
which can indicate the name of a Time Zone file. The procmail
application, linked to the glibc, thus opens this file to analyze
its timing information. It can be noted that the content of this
file is never returned to the user.
A local attacker can therefore set the TZ environment variable
before sending an email calling procmail, in order to force the
opening of a file, or a denial of service if this file is blocking.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/procmail-file-reading-via-TZ-16189