Bug#369542: marked as done (security problem in ssmtp package (password exposure))

Debian Bug Tracking System Mon, 04 Dec 2006 09:25:40 -0800

Your message dated Mon, 04 Dec 2006 13:47:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#369542: fixed in ssmtp 2.61-10.1
has caused the attached Bug report to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

Package: ssmtp
Version: 2.61


PREFACE: As I am a Gentoo Linux user, I first reported this to the
Gentoo team about 1 month ago. As yet nothing's happened, so I'm
reporting it upstream as well. The Gentoo bug URL is
https://bugs.gentoo.org/show_bug.cgi?id=132376

Here is a copy of the bug report. My apologies if this information is
duplicate. I hope for a speedy resolution.

"Information leak in mail-mta/ssmtp leads to password exposure"

Verified in mail-mta/ssmtp-2.61-r1, which is the latest I see in portage.

ssmtp allows you to specify a mail relay in /etc/ssmtp/ssmtp.conf which
requires a username and password. For example, this is a valid ssmtp.conf:



mailhub=mail.1dnb.com
rewriteDomain=mail.1dnb.com
#hostname=
FromLineOverride=YES
#UseTLS=NO
UseSTARTTLS=YES
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
AuthPass=123456
AuthMethod=LOGIN


naturally, my AUTH SMTP password is in there - so I have done the following:

chown root:mail /etc/ssmtp/ssmtp.conf
chmod 640 /etc/ssmtp/ssmtp.conf
chown root:mail /usr/sbin/ssmtp
chmod 2711 /usr/sbin/ssmtp

giving...

-rw-r----- 1 root mail  1279 2006-05-05 19:39 /etc/ssmtp/ssmtp.conf
-rwx--s--x 1 root mail 27268 2006-05-05 19:28 /usr/sbin/ssmtp

...as intended.

however, as an unprivileged user,

[EMAIL PROTECTED] ~ $ mail -v -s 'This is a test.' [EMAIL PROTECTED] 
<mailto:[EMAIL PROTECTED]>
Hi. Nothing else.
Cc:
[<-] 220 rain.1dnb.com ESMTP
[->] EHLO marshmallow
[<-] 250 SIZE 0
[->] STARTTLS
[<-] 220 ready for tls
[->] EHLO marshmallow
[<-] 250 SIZE 0
[->] AUTH LOGIN bWVAYmVuLXhvLmNvbQ==
[<-] 334 UGFzc3dvcmQ6
[->] MTIzNDU2
[<-] 235 ok, go ahead (#2.0.0)
[->] MAIL FROM:<[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>
[<-] 250 ok
[->] RCPT TO:<[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>
[<-] 250 ok
[->] DATA
[<-] 354 go ahead
[->] Received: by marshmallow (sSMTP sendmail emulation); Fri,  5 May 2006
21:23:02 +0100
[->] From: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
[->] Date: Fri,  5 May 2006 21:23:02 +0100
[->] To: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
[->] Subject: This is a test.
[->]
[->] Hi. Nothing else.
[->] .
[<-] 250 ok 1146860502 qp 8976
[->] QUIT
[<-] 221 rain.1dnb.com


All I can say is... oops. As you can see, the password is quite clearly visible
in the output (albeit base64 encoded).

Patch attached that removes this specific information leak (the rest of the
info is left in for debugging). 

A more secure (optional?) patch would possibly remove the username, or the -v
option altogether.

with the patch, we get the following output instead:

[EMAIL PROTECTED] ~ $ mail -v -s "a test! hah." [EMAIL PROTECTED] 
<mailto:[EMAIL PROTECTED]>
Hi. This is all, 2.
Cc:
[<-] 220 rain.1dnb.com ESMTP
[->] EHLO marshmallow
[<-] 250 SIZE 0
[->] STARTTLS
[<-] 220 ready for tls
[->] EHLO marshmallow
[<-] 250 SIZE 0
[->] AUTH LOGIN bWVAYmVuLXhvLmNvbQ==
[<-] 334 UGFzc3dvcmQ6
[<-] 235 ok, go ahead (#2.0.0)
[->] MAIL FROM:<[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>
[<-] 250 ok
[->] RCPT TO:<[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>
[<-] 250 ok
[->] DATA
[<-] 354 go ahead
[->] Received: by marshmallow (sSMTP sendmail emulation); Fri,  5 May 2006
21:26:59 +0100
[->] From: "root" <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>
[->] Date: Fri,  5 May 2006 21:26:59 +0100
[->] To: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
[->] Subject: a test! hah.
[->]
[->] Hi. This is all, 2.
[->] .
[<-] 250 ok 1146860738 qp 31085
[->] QUIT
[<-] 221 rain.1dnb.com


--- ssmtp-2.61/ssmtp.c  2004-07-23 06:58:48.000000000 +0100
+++ ssmtp-2.61+auth_login_minus_v_patch/ssmtp.c 2006-05-05 20:26:07.000000000 
+0100
@@ -1281,6 +1281,7 @@
        struct passwd *pw;
        int i, sock;
        uid_t uid;
+       bool_t minus_v_save;

        uid = getuid();
        if((pw = getpwuid(uid)) == (struct passwd *)NULL) {
@@ -1381,7 +1382,13 @@
 #ifdef MD5AUTH
                }
 #endif
+                /* We do NOT want the password output to STDERR
+                * even base64 encoded.*/
+               minus_v_save = minus_v;
+               minus_v = False;
                smtp_write(sock, "%s", buf);
+               minus_v = minus_v_save;
+
                (void)alarm((unsigned) MEDWAIT);

                if(smtp_okay(sock, buf) == False) {

(EOF)

--  
Ben XO

--- End Message ---

--- Begin Message ---

Source: ssmtp
Source-Version: 2.61-10.1

We believe that the bug you reported is fixed in the latest version of
ssmtp, which is due to be installed in the Debian FTP archive:

ssmtp_2.61-10.1.diff.gz
  to pool/main/s/ssmtp/ssmtp_2.61-10.1.diff.gz
ssmtp_2.61-10.1.dsc
  to pool/main/s/ssmtp/ssmtp_2.61-10.1.dsc
ssmtp_2.61-10.1_amd64.deb
  to pool/main/s/ssmtp/ssmtp_2.61-10.1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Barth <[EMAIL PROTECTED]> (supplier of updated ssmtp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon,  4 Dec 2006 11:03:19 +0000
Source: ssmtp
Binary: ssmtp
Architecture: source amd64
Version: 2.61-10.1
Distribution: unstable
Urgency: high
Maintainer: Anibal Monsalve Salazar <[EMAIL PROTECTED]>
Changed-By: Andreas Barth <[EMAIL PROTECTED]>
Description: 
 ssmtp      - extremely simple MTA to get mail off the system to a mail hub
Closes: 369542
Changes: 
 ssmtp (2.61-10.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Fix Information leak in ssmtp that leads to password exposure.
     Closes: #369542
Files: 
 100c799bde5b0cc84191c551f4bf1110 627 mail extra ssmtp_2.61-10.1.dsc
 0826c70d82f425888f614a81b8a29b51 32185 mail extra ssmtp_2.61-10.1.diff.gz
 c80f27c1cd4ccd98c88e4ad461fa0cce 44294 mail extra ssmtp_2.61-10.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFFdCJ0mdOZoew2oYURAn5ZAKCT2S1x9cAqnvdDSMgoUkvbw9Cr3wCfWD2U
B+jdwMX9iRhXY5iChW02wyw=
=ww2y
-----END PGP SIGNATURE-----

--- End Message ---

Bug#369542: marked as done (security problem in ssmtp package (password exposure))

Reply via email to