[8750] in bugtraq
PostFix security Problem
daemon@ATHENA.MIT.EDU (bobk)
Sun Dec 20 20:10:42 1998
Date: Sun, 20 Dec 1998 19:20:42 -0500
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: bobk <bobk@SINISTER.COM>
To: BUGTRAQ@NETSPACE.ORG
Version: Postfix Beta-19981211
Severity: Moderate
Type: Access Control
Fix: Not yet available
NO, this is not a remote root exploit script!
This bug effects the access control used by postfix. By subverting the
access control mechanism, an attacker could use a postfix server as a
relay for SPAM (UCE). This can result in huge network load, having your
server added to black-hole lists, denial of service attacks, and much
abuse and frustration.
Like many things I touch, it is a DNS issue. When a client connects to a
PostFix server, postfix does a DNS query for the name associated with the
connecting IP address, and proceeds to use this name in its access control
decisions. The problem is that PostFix fails to double-check the name
returned for the IP address, i.e. it does not do a gethostbyname() on the
name returned by gethostbyaddr() and make sure they match. gethostbyaddr()
alone is not secure, as anyone who has control of the DNS for their
address space (is authoritative for it) can trivially forge the answer
returned for an in-addr.arpa PTR query.
In addition to the SPAM problems, this forged address is also what appears
in the system logs (although the IP address is also logged). This could
lead an unwary sysadmin to think that connections, and possible attacks,
were coming from a place where they were not.
Robert Keyes
Security Consultant,
Cambridge Massachusetts
p.s. I am available for security work
