[15629] in bugtraq
Re: Nasty hole in postifx/procmail/cyrus
daemon@ATHENA.MIT.EDU (Philip Guenther)
Wed Jul 5 18:03:19 2000
Message-Id: <200007030102.UAA08437@solen.gac.edu>
Date: Sun, 2 Jul 2000 20:04:04 -0500
Reply-To: Philip Guenther <guenther@GAC.EDU>
From: Philip Guenther <guenther@GAC.EDU>
X-To: Dylan Griffiths <Dylan_G@BIGFOOT.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <395DA418.5314B33C@bigfoot.com>
Dylan Griffiths <Dylan_G@BIGFOOT.COM> writes:
>Secure Postfix+Procmail+Cyrus micro-howto
>
>This is should be secure, as $1, $2, etc, are not trusted nor read. Postfix
>parses the user@domain.dom part for us, and feeds USER= and EXTENSION= lines
>to procmail, which works on those variables only
How is it more secure to pass the values as variable assignments on the
command line instead of as $1, $2, etc? The error is in how the
variables are used, not what they are named.
>The entry in master.cf for procmail to be used as a mailbox_transport:
>
>procmail unix - n n - - pipe
> flags=R user=cyrus argv=/usr/bin/procmail -p \
> /home/cyrus/procmail.common \
> USER=${user} EXTENSION=${extension}
Does postfix check $(user) and $(extension) for evil characters
(including whitespace) before passing them to procmail? Does it require
$(user) to be an actual username? If not the latter, you're still open
to the ../../etc/passwd hack, and if not the former then your recipes
still allow remote attackers to change the arguments passed to deliver.
Procmail's variable expansion style was derived from the shells, and
therefore suffers all its defects. If you haven't sanitised it, _must_
double-quote untrusted data to prevent filename globbing and word
breaking.
...
>INCLUDERC=/home/cyrus/procmail.$USER
Did you check USER for /s and ..s?
...
># If this fails, it tries without the extension
>:0w
>| $DELIVERMAIL -a $USER -e -q -m $EXTENSION $USER
What if EXTENSION or USER contains whitespace or a '*'? What if
EXTENSION is *empty* (Whoops, you just passed $USER to the -m flag. I
hope that didn't hurt).
# Only call deliver with an extension if we were passed a
# non-empty one
:0 w
* EXTENSION ?? .
| $DELIVERMAIL -a "$USER" -e -q -m "$EXTENSION" -- "$USER"
(Do you really want the -q flag here? You might as well turn off quotas
if you do.)
># If this fails, it returns error!
>:0w
>| $DELIVERMAIL -a $USER -e -q $USER
Likewise:
:0 w
| $DELIVERMAIL -a "$USER" -e -q -- "$USER"
Philip Guenther
