[15591] in bugtraq
Nasty hole in postifx/procmail/cyrus
daemon@ATHENA.MIT.EDU (John Pettitt)
Sun Jul 2 14:13:52 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Message-Id: <4.3.2.7.2.20000629232105.00b00ae0@gatekeeper.cloudview.com>
Date: Fri, 30 Jun 2000 15:12:36 -0700
Reply-To: John Pettitt <jpp@CLOUDVIEW.COM>
From: John Pettitt <jpp@CLOUDVIEW.COM>
X-To: postfix-users@cloud9.net
To: BUGTRAQ@SECURITYFOCUS.COM
There are a number of hacks about that allow postfix to deliver to cyrus
imap mailboxes via procmail. It turns out that at least one of these has
a hole in it that allows bad guy to run code as the cyrus user.
Prerequisites:
1) procmail installead as mailbox_transport under postfix (this is a hack
to get procmail to run under the cyrus user id). If procmail is run as
mailbox_command there does not seem to be an issue and postfix nukes all
the shell stuff before procmail gets called.
2) an /etc/procmailrc that looks like this (or similar - the main feature
being to trust the userdata - in this case $1)
# some reasonable defaults
SHELL=/bin/sh
DELIVER="/usr/cyrus/bin/deliver -a $1"
MAILTO=$1
MAILBOX=$2
# this enables automated procmail recipe creation for users;
# roll your own tool to allow creation of procmail recipes on a per-user
# basis and place them there, but don't let users edit their own recipes
INCLUDERC=/etc/procmailrcs/$1
# make sure EXITCODE is clear: then it will take the value of the TRAP return
EXITCODE=""
TRAP="/usr/cyrus/bin/deliver -m $2 -- $1"
# Procmail voodoo. The TRAP handles the mail delivery. We have to
# prevent procmail from attempting a second delivery.
#
# in one line, kill procmail:
HOST=
When procmail processes the INCLUDERC and TRAP lines backquote expansion
happens. Sending a message `shell commands`@myhost.com will cause the
commands to run under whatever ID procmail happens to be running as
(typically cyrus).
Also if mail is sent to baduser procmail will disclose the path to it's
include dir in the reply. Mail can then be set to say ../passwd which
will case procmail to read passwd as a recipie file and barf it's contests
as an error response.
All of the above can be plugged by adding:
:0
*$ ! $MAILTO ?? .*[A-ZA-z0-9\-_]?
/tmp/bad
#or /dev/null according to taste
before the INCLUDERC line in /etc/procmailrc
John
John Pettitt Email: jpp@cloudview.com
Remember: It's Always Darkest just Before it goes Pitch Black.
Notice: If you want your email to be private you should encrypt it!
My PGP keys are on the MIT & pgp.com servers.
PGP Key fingerprint: 81B5 446D 3E0E 1CDE 5A45 644A A744 54C4 7886 3658
You can get PGP free from http://web.mit.edu/network/pgp.html
