HighCheck or Attack Name: smtpdecode
A common configuration for older mail transfer agents (MTAs) is to include an alias for the decode user. All mail sent to this user is sent to the uudecode program, which automatically converts and stores files. This configuration could allow an attacker to remotely overwrite files on the system, which could possibly be used to leverage remote access. The uudecode alias might also exist in some configurations.
Disable mail aliases for decode and uudecode. If the /etc/aliases or /usr/lib/aliases (mail alias) file contains entries for these programs, remove them or disable them by placing # at the beginning of the line, and then executing the newaliases command. For more information on Unix mail aliases, refer to the man page for aliases. Disabled aliases would be similar to these examples:
# decode: "|/usr/bin/uudecode"
# uudecode: "|/usr/bin/uuencode -d"
CIAC Information Bulletin A-14, Additional information on the vulnerability in the UNIX DECODE alias, http://ciac.llnl.gov/ciac/bulletins/a-14.shtml
CIAC Information Bulletin A-13, Vulnerability in DECODE alias, http://ciac.llnl.gov/ciac/bulletins/a-13.shtml
