Re: -x on Postfix, and a possible fix.

spamass-milt-list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: -x on Postfix, and a possible fix.

From:	Tony Shadwick
Subject:	Re: -x on Postfix, and a possible fix.
Date:	Tue, 08 Jun 2010 08:53:22 -0500
User-agent:	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.9) Gecko/20100423 Lightning/1.0b1 Thunderbird/3.0.4

On 06/07/2010 07:14 PM, Don Armstrong wrote:

On Mon, 07 Jun 2010, Tony Shadwick wrote:
 > In spamass-milter.cpp, you have this:
 >
 > /* open a pipe to sendmail so we can do address
 > expansion */
 >
 > char buf[1024];
 > char *fmt="%s -bv \"%s\" 2>&1";
 >
 > I changed it to be this instead:
 >
 > char *fmt="%s -q \"%s\" /etc/postfix/virtual 2>&1";

You don't want to do this. This leads to the remote exploit of
spamass-milter shown and fixed here:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=573228

 > Huh? Why are the < and > getting left on the address? I didn't
 > comment anything out that got ride of them. Have they always been
 > passed to sendmail -bv?

sendmail is passed the envelope recipient directly as it is reported
to spamass-milter; '<address@hidden>' is a perfectly legitimate envelope
recipient.


Don Armstrong

--
No matter how many instances of white swans we may have observed, this
does not justify the conclusion that all swans are white.
-- Sir Karl Popper _Logic of Scientific Discovery_

http://www.donarmstrong.com http://rzlab.ucr.edu

_______________________________________________
Spamass-milt-list mailing list
address@hidden
http://lists.nongnu.org/mailman/listinfo/spamass-milt-list

Although I must acknowledge this as a problem, this is somewhat thefault of a negligent systems administrator. In order:


#1 Allowing postfix to mail directly to programs to begin with.

#2 Having -x set on a Postfix box doesn't even work properly at current,so there's no reason to do it - you will fork bomb yourself to oblivionas spamass-milter sits around waiting for sendmail -bv to return withproper info, which it never will.


#3 Allowing mail from without a ehlo/helo.

Example to my own host (ehlo left out - possibly the report did the same):

250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH PLAIN LOGIN
250-STARTTLS
250-DELIVERBY
250 HELP
rcpt to: root+:"|touch /tmp/numbskitime"
503 5.0.0 Need MAIL before RCPT
mail from: <address@hidden>
250 2.1.0 <address@hidden>... Sender ok
rcpt to: root+:"|touch /tmp/numbskitime"

550 5.7.1 root+:"|touch /tmp/numbskitime"... Cannot mail directly toprograms

My solution is really a bit pragmatic. Yes, it does somewhat open thedoor. I'm mostly done with a set of changes that allows you to pass -Xinstead of -x. -X would then take an argument to a script that you canpass an envelope recipient to, and it will return a valid user whose SAprefs would be used, or null.

I guess I'm wondering where the responsibility of the milter author lieswhen a misconfigured system is set up this way. At the end of the day,there's not a situation that will ever arise where -x is appropriate,and for my example, I have a perl script that strips the <> from theenvelope, and then calls postmap -q (content left in the envelope)/etc/virtual.


So with their example exploit, you would have 3 hurdles.

#1 - will the mta allow you to do this. Attempting to do this to a(more or less stock) Ubuntu configuration yeilds:


rcpt to: root+:"|touch /tmp/numbskitime"

504 5.5.2 <root+:|touch /tmp/numbskitime>: Recipient address rejected:need fully-qualified address

rcpt to: <root+:"|touch /tmp/numbskitime">

504 5.5.2 <root+:|touch /tmp/numbskitime>: Recipient address rejected:need fully-qualified address

So no, the administrator needs to do something a bit dumb to allow thisto happen.

#2 If the administrator was dumb enough to let the above happen, whatdoes spamass-milter do with it? Well, with -x, the following gets run:


sendmail -bv root+:|touch /tmp/numbskitime

On both postfix and sendmail, this does in fact work. I'm not certainas to why right offhand, as it really should not. That's a problem.Now, given that someone did -X with my code and happened to write ascript that essentially called "sendmail -bv". That's a problem. In mycase however, I'm calling postmap. Trying that yields:


postmap -q "root+:|touch /tmp/numbskitime" /etc/postfix/virtual

Nothing.  No temp file gets dropped.  It just returns null.

So in short, my mod is (so far) harmless. One can put themselves in abad spot, but if so, they did it to themselves. :\

So far as fixing -x...I just don't know. Maybe some sanity checking tomake sure that there are no pipe symbols in the address being passedthrough?


Tony Shadwick

[Prev in Thread]

Current Thread

[Next in Thread]

Re: -x on Postfix, and a possible fix., Tony Shadwick, 2010/06/07
- Re: -x on Postfix, and a possible fix., Don Armstrong, 2010/06/07
  - Re: -x on Postfix, and a possible fix., Tony Shadwick <=
    - Re: -x on Postfix, and a possible fix., Tony Shadwick, 2010/06/08
    - Re: -x on Postfix, and a possible fix., Don Armstrong, 2010/06/08
    - Re: -x on Postfix, and a possible fix., Tony Shadwick, 2010/06/08
    - Re: -x on Postfix, and a possible fix., Tony Shadwick, 2010/06/08
    - Re: -x on Postfix, and a possible fix., Don Armstrong, 2010/06/08
    - Re: -x on Postfix, and a possible fix., Tony Shadwick, 2010/06/09
    - Re: -x on Postfix, and a possible fix., Tony Shadwick, 2010/06/10
    - Re: -x on Postfix, and a possible fix., Don Armstrong, 2010/06/10

Prev by Date: Re: -x on Postfix, and a possible fix.
Next by Date: Re: -x on Postfix, and a possible fix.
Previous by thread: Re: -x on Postfix, and a possible fix.
Next by thread: Re: -x on Postfix, and a possible fix.
Index(es):
- Date
- Thread