Package: ssmtp Version: 2.61 PREFACE: As I am a Gentoo Linux user, I first
reported this to the Gentoo team about 1 month ago. As yet nothing's
happened, so I'm reporting it upstream as well. The Gentoo bug URL is
https://bugs.gentoo.org/show_bug.cgi?id=132376
Here is a copy of the bug report. My apologies if this information is duplicate. I hope for a speedy resolution. "Information leak in mail-mta/ssmtp leads to password exposure" Verified in mail-mta/ssmtp-2.61-r1, which is the latest I see in portage. ssmtp allows you to specify a mail relay in /etc/ssmtp/ssmtp.conf which requires a username and password. For example, this is a valid ssmtp.conf: mailhub=mail.1dnb.com rewriteDomain=mail.1dnb.com #hostname= FromLineOverride=YES #UseTLS=NO UseSTARTTLS=YES [EMAIL PROTECTED] AuthPass=123456 AuthMethod=LOGIN naturally, my AUTH SMTP password is in there - so I have done the following: chown root:mail /etc/ssmtp/ssmtp.conf chmod 640 /etc/ssmtp/ssmtp.conf chown root:mail /usr/sbin/ssmtp chmod 2711 /usr/sbin/ssmtp giving... -rw-r----- 1 root mail 1279 2006-05-05 19:39 /etc/ssmtp/ssmtp.conf -rwx--s--x 1 root mail 27268 2006-05-05 19:28 /usr/sbin/ssmtp ...as intended. however, as an unprivileged user, [EMAIL PROTECTED] ~ $ mail -v -s 'This is a test.' [EMAIL PROTECTED] Hi. Nothing else. Cc: [<-] 220 rain.1dnb.com ESMTP [->] EHLO marshmallow [<-] 250 SIZE 0 [->] STARTTLS [<-] 220 ready for tls [->] EHLO marshmallow [<-] 250 SIZE 0 [->] AUTH LOGIN bWVAYmVuLXhvLmNvbQ== [<-] 334 UGFzc3dvcmQ6 [->] MTIzNDU2 [<-] 235 ok, go ahead (#2.0.0) [->] MAIL FROM:<[EMAIL PROTECTED]> [<-] 250 ok [->] RCPT TO:<[EMAIL PROTECTED]> [<-] 250 ok [->] DATA [<-] 354 go ahead [->] Received: by marshmallow (sSMTP sendmail emulation); Fri, 5 May 2006 21:23:02 +0100 [->] From: [EMAIL PROTECTED] [->] Date: Fri, 5 May 2006 21:23:02 +0100 [->] To: [EMAIL PROTECTED] [->] Subject: This is a test. [->] [->] Hi. Nothing else. [->] . [<-] 250 ok 1146860502 qp 8976 [->] QUIT [<-] 221 rain.1dnb.com All I can say is... oops. As you can see, the password is quite clearly visible in the output (albeit base64 encoded). Patch attached that removes this specific information leak (the rest of the info is left in for debugging). A more secure (optional?) patch would possibly remove the username, or the -v option altogether. with the patch, we get the following output instead: [EMAIL PROTECTED] ~ $ mail -v -s "a test! hah." [EMAIL PROTECTED] Hi. This is all, 2. Cc: [<-] 220 rain.1dnb.com ESMTP [->] EHLO marshmallow [<-] 250 SIZE 0 [->] STARTTLS [<-] 220 ready for tls [->] EHLO marshmallow [<-] 250 SIZE 0 [->] AUTH LOGIN bWVAYmVuLXhvLmNvbQ== [<-] 334 UGFzc3dvcmQ6 [<-] 235 ok, go ahead (#2.0.0) [->] MAIL FROM:<[EMAIL PROTECTED]> [<-] 250 ok [->] RCPT TO:<[EMAIL PROTECTED]> [<-] 250 ok [->] DATA [<-] 354 go ahead [->] Received: by marshmallow (sSMTP sendmail emulation); Fri, 5 May 2006 21:26:59 +0100 [->] From: "root" <[EMAIL PROTECTED]> [->] Date: Fri, 5 May 2006 21:26:59 +0100 [->] To: [EMAIL PROTECTED] [->] Subject: a test! hah. [->] [->] Hi. This is all, 2. [->] . [<-] 250 ok 1146860738 qp 31085 [->] QUIT [<-] 221 rain.1dnb.com --- ssmtp-2.61/ssmtp.c 2004-07-23 06:58:48.000000000 +0100
+++ ssmtp-2.61+auth_login_minus_v_patch/ssmtp.c 2006-05-05 20:26:07.000000000 +0100
@@ -1281,6 +1281,7 @@
struct passwd *pw;
int i, sock;
uid_t uid;
+ bool_t minus_v_save;
uid = getuid();
if((pw = getpwuid(uid)) == (struct passwd *)NULL) {
@@ -1381,7 +1382,13 @@
#ifdef MD5AUTH
}
#endif
+ /* We do NOT want the password output to STDERR
+ * even base64 encoded.*/
+ minus_v_save = minus_v;
+ minus_v = False;
smtp_write(sock, "%s", buf);
+ minus_v = minus_v_save;
+
(void)alarm((unsigned) MEDWAIT);
if(smtp_okay(sock, buf) == False) {
(EOF)
--
Ben XO
|
