Bug Tracker item #2932993, was opened at 2010-01-15 18:34
Message generated for change (Comment added) made by sbajic
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=1126467&aid=2932993&group_id=250683
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: daemon
Group: v3.9.0
>Status: Closed
>Resolution: Fixed
Priority: 9
Private: No
Submitted By: Enrico Scholz (ensc)
Assigned to: Stevan Bajic (sbajic)
Summary: Path traversal vulnerability
Initial Comment:
$ dspamc --classify --user ../../../../../../etc -- < /tmp/sp
# strace -f `pidof dspamd`
stat64("/var/lib/dspam/data/././../../../../../..", {st_mode=S_IFDIR|0755,
st_size=4096, ...}) = 0
...
# ll /
-rw-rw---- 1 root mail 1573112 15. Jan 18:24 etc.css
-rw-rw---- 1 root mail 0 15. Jan 18:24 etc.lock
-rw-rw---- 1 root mail 12 15. Jan 18:24 etc.stats
-------
'dspam' should do some sanity checks regarding the username. Trusting e.g.
into the MTA that only valid usernames are submitted does not suffice because
there are dozens of ways how 'dspam' can be invoked and they can not be
verified all.
Measure like non-root execution of 'dspamd' can lower the impact of this attack
but I would not trust on it either.
----------------------------------------------------------------------
>Comment By: Stevan Bajic (sbajic)
Date: 2010-03-02 20:55
Message:
Hallo Enrico,
latest GIT should fix that issue. Let me know if not.
--
Kind Regards from Switzerland,
Stevan Bajić
----------------------------------------------------------------------
Comment By: Stevan Bajic (sbajic)
Date: 2010-02-24 18:30
Message:
Hallo Enrico,
could you try if the attached patch is solving the issue with an invalid
recipient?
--
Kind Regards from Switzerland,
Stevan Bajić
----------------------------------------------------------------------
Comment By: Stevan Bajic (sbajic)
Date: 2010-01-20 10:32
Message:
> ok; you are right. But why are you checking for '../' and '..\' but not
> for '..' in your patch?
>
Because DSPAM has no issue if a username would be
"just.any...name..you..like" and because the DSPAM username does not have
to be a valid email address. So RFC 5321, RFC 5322, etc do not bother DSPAM
since in DSPAM username != valid email address.
I am going to fix the second issue as well. I just wanted quickly to iron
out the "--user" problem and then go for the recipient problem.
----------------------------------------------------------------------
Comment By: Enrico Scholz (ensc)
Date: 2010-01-20 10:01
Message:
>> btw... "../" is a valid local-part accordingly rfc 5321
>>
> Where in RFC 5321 is it written that "../" is a valid local-part?
ok; you are right. But why are you checking for '../' and '..\' but not
for '..' in your patch?
>> problem still exists
>
>For the "--user" switch I would be surprised if it sill exists.
afais, the '--user' switch is never used. The dspam daemon receives the
RCPT TO value and processes it without calling an additional program.
# strace -eexecve,stat64,recv -f -p 24353
[pid 31193] recv(4, "LHLO mail-filter\r\n", 1023, 0) = 18
...
[pid 31193] recv(4, "RCPT TO: <../../../../../../etc>", 1023, 0) = 32
...
[pid 31193] stat64("/var/lib/dspam/data/././../../../../../../etc",
{st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
---
no execve()...
----------------------------------------------------------------------
Comment By: Stevan Bajic (sbajic)
Date: 2010-01-20 02:26
Message:
> btw... "../" is a valid local-part accordingly rfc 5321
>
Where in RFC 5321 is it written that "../" is a valid local-part? As far
as I know RFC 5322 is saying that a dot is a valid character in the
local-part but not if it is the first character of the local-part and it is
not valid if the dot appears two or more times consecutively. Could you
point me to the section of RFC 5321 that is explicitly stating that ".." is
a valid local-part?
> problem still exists
>
For the "--user" switch I would be surprised if it sill exists. For the
recipient passed by the DSPAM agent I don't say anything since I have not
touched that but the "--user" switch should not allow "../" or "..\".
----------------------------------------------------------------------
Comment By: Enrico Scholz (ensc)
Date: 2010-01-19 15:05
Message:
problem still exists
did you perhaps patched the wrong branch (flag_u instead of flag_r)?
btw... "../" is a valid local-part accordingly rfc 5321
----------------------------------------------------------------------
Comment By: Stevan Bajic (sbajic)
Date: 2010-01-19 13:38
Message:
Hallo Enrico
any news regarding the attached patch?
--
Kind Regards from Switzerland,
Stevan Bajić
----------------------------------------------------------------------
Comment By: Stevan Bajic (sbajic)
Date: 2010-01-18 16:26
Message:
Hallo Enrico Scholz
Could you try the attached patch?
--
Kind Regards from Switzerland,
Stevan Bajić
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=1126467&aid=2932993&group_id=250683
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Dspam-devel mailing list
Dspam-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspam-devel
