[AMaViS-user] AMaViS Security Announcement: ZOO archive decompression infinite loop DoS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 === AMaViS Security Announcement Date: 2007-05-17 affected version(s):amavis, amavisd, amavisd-new, amavis-ng Vulnerability: ZOO archive decompression infinite loop DoS Priority: urgent Solution: update zoo / disable (un)zoo utility References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1669 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1673 Author: Mark Martinec [EMAIL PROTECTED] Rainer Link [EMAIL PROTECTED] Advisory ID:ASA-2007-2 Contact:[EMAIL PROTECTED] WWW:http://www.amavis.org/security/ - - 0. Preface As amavisd-new (http://www.ijs.si/software/amavisd/) is currently the only maintained AMaViS branch, most of the following refers to amavisd-new. 1. Problem description A ZOO archive decompression infinite loop DoS has been discovered by Jean-Sebastien Guay-Leroux. 2. Impact All branches of AMaViS are able to call external zoo decoder if it is available and enabled, including amavisd-new, amavisd-snapshot, amavis-perl and amavis-ng. When given a specially crafted zoo archive, its decoding can consume all available CPU resources, bringing mail processing to a standstill. Whether the impact is temporary or permanent (until operator intervention) depends on a branch and version of amavis. Versions of amavisd-new 2.4.1 and older, and branches amavisd-snapshot, amavis-perl and amavis-ng are particularly affected by this vulnerability as they offer no timing or other protection against a runaway zoo decoder. The process will eventually reach a virtual memory quota and crash, leaving mail in a MTA queue for a later retry. Although mail processing will automatically resume by another process, repeated attempts at checking of problematic mail messages will consume most resources, requiring operator intervention to resume normal mail flow by removing problem messages from a MTA queue. Versions of amavisd-new 2.4.2 and later provide a time limit to external decoding programs, killing them after about 2/3 of a time setting in a $child_timeout configuration variable, which amounts to about 5 minutes of elapsed time by default. When decoding times out, zoo archive is treated as atomic and normal checks resume, including anti-virus and anti-spam checks, and mail eventually passes (or is blocked in case of malware). The event consumes about 5 minutes of CPU time, so when just an occasional malicious mail with a zoo archive if received the impact is a temporary slowdown in mail processing. A dedicated attack can have a more significant impact on mail processing throughput. In addition to a zoo archiver, version of amavisd-new starting with 2.4.2 also support the unzoo dearchiver, although it is affected by the same vulnerability, and due to some of its other limitations and lack of maintenance is not recommended. A future version of amavisd-new 2.5.1 will provide an additional protection against external runaway decoding programs by enforcing the $MAXFILES limit already during checking an archive listing, which will reduce the impact of this particular vulnerability in zoo to a negligible level, although it may not be able to help with other types of broken behaviour of external decoders. 3. Solution If the threat is considered to require a preventive action, either disable the use of zoo (or unzoo) by amavis, or fix the archiver. With amavisd-new the use of external zoo or unzoo archivers is disabled by removing or hiding these programs from being visible to amavisd and restarting the amavisd process. Alternatively, removing the zoo entry from a @decoders list or keeping config variable $zoo at undef also disables its use by amavisd. Other branches of amavis require reconfiguration and reinstallation to disable the use of a zoo archiver. o zoo-2.10 - CVE-2007-1669: A patch for version 2.10 is provided in section VII of the original zoo advisory. o unzoo.c - CVE-2007-1673: This software is not maintained anymore. No patch is provided for this software. 4. Acknowledgement Credits to Jean-Sebastien Guay-Leroux. 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1669 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1673 http://www.guay-leroux.com/projects/zoo-infinite-advisory.txt http://www.amavis.org/security/ 6. Revision history 2007-05-17: initial release -BEGIN PGP SIGNATURE- Version: GnuPG v1.9.14 (GNU/Linux) iD8DBQFGTClOmxoFTBO0QHkRAvvBAKC170upZb3g5ExppU8VVyxRBmbooACgqrhd t/2f9DeRyc2L425k0uEHs6s= =MlbI -END PGP SIGNATURE- - This SF.net email is
Re: [AMaViS-user] SQL and 'policy banks'
Can I use different 'policy' (SQL) based on which 'policy bank' the mail arrived? The %sql_clause associative array is part of policy banks, so you can switch SQL clauses to be used, based on a policy bank. For example: $interface_policy{'10026'} = 'ALT'; $policy_bank{'ALT'} = { sql_clause = { 'sel_policy' = 'SELECT *, altusers.id'. ' FROM altusers LEFT JOIN policy ON altusers.policy_id=policy.id'. ' WHERE altusers.email IN (%k) ORDER BY altusers.priority DESC', }, }; ...may be used to let SQL lookups access a table 'altusers' instead of a table 'users', when a policy bank ALT is loaded, i.e. when a requests comes in on a TCP port 10026. Actually what I want to setup is an Amavisd-new server that is using @lookup_sql_dsn, @storage_sql_dsn and different policy (SQL) for incoming and outgoing mails: Incoming - spamcheck (port 10024) - viruscheck (D_PASS) - W/B lists (for individual users ??) - pen pals Outgoing (port 10025) - viruscheck (D_DISCARD) - build up pen pals lists Is there any problems in that? There is probably no need to fiddle with %sql_clause in policy banks, this looks like a straightforward use of settings in policy banks. Can I do that? If do this: $policy_bank{'OUTGOING'} = { bypass_spam_checks_maps = [1], # don't spam-check internal mail bypass_banned_checks_maps = [1], # don't banned-check internal mail final_virus_destiny = D_DISCARD, }; It seems like these parameters is always overwritten by the SQL policy table? - Martin - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Question about some log information
Perhaps someone can explain me some amavis log entries. It's amavisd-new 2.4.5 with default config. I got (shorted): amavis[48404]:(48404-01-9) Passed SPAM, [212.71.111.45] [89.220.41.153] amavis[48123]:(48123-01-13) Passed SPAM, [88.238.102.203] [47.62.141.62] Whats the first ip in the brackets after Passed SPAM and whats the second one? I checked the README.customized but it's not 100% clear for me. Regards, Thomas The first IP is %a, the second IP is %e, which are specified in the README.customize: a original SMTP session client IP address(empty if unknown,e.g. no XFORWARD) e best guess of the originator IP address collected from the Received trace MrC - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Question about some log information
Hello Thank you. I have assumed it but was not sure. Nn most cases, should this not be the same ip for %a and %e? I checked a few thousand CLEAN marked emails (of course some of them was spam too but not detected). More than 95% of this emails had the same ip for %a and %e. I guess the 5% with different ips in %a compared to %e was spam. Nearly 100% of SPAM marked emails have different ips in %a compared to %e. May this be a way to collect spamer and block this ips or would this produce many many false blocked ips? Cheers, Thomas MrC wrote: Perhaps someone can explain me some amavis log entries. It's amavisd-new 2.4.5 with default config. I got (shorted): amavis[48404]:(48404-01-9) Passed SPAM, [212.71.111.45] [89.220.41.153] amavis[48123]:(48123-01-13) Passed SPAM, [88.238.102.203] [47.62.141.62] Whats the first ip in the brackets after Passed SPAM and whats the second one? I checked the README.customized but it's not 100% clear for me. Regards, Thomas The first IP is %a, the second IP is %e, which are specified in the README.customize: a original SMTP session client IP address(empty if unknown,e.g. no XFORWARD) e best guess of the originator IP address collected from the Received trace MrC - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/ -- UNIX is basically a simple operating system, but you have to be a genius to understand the simplicity. Dennis Ritchie - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] SQL and 'policy banks'
On 5/17/07, Martin Schiøtz [EMAIL PROTECTED] wrote: Can I use different 'policy' (SQL) based on which 'policy bank' the mail arrived? The %sql_clause associative array is part of policy banks, so you can switch SQL clauses to be used, based on a policy bank. For example: $interface_policy{'10026'} = 'ALT'; $policy_bank{'ALT'} = { sql_clause = { 'sel_policy' = 'SELECT *, altusers.id'. ' FROM altusers LEFT JOIN policy ON altusers.policy_id=policy.id'. ' WHERE altusers.email IN (%k) ORDER BY altusers.priority DESC', }, }; ...may be used to let SQL lookups access a table 'altusers' instead of a table 'users', when a policy bank ALT is loaded, i.e. when a requests comes in on a TCP port 10026. Actually what I want to setup is an Amavisd-new server that is using @lookup_sql_dsn, @storage_sql_dsn and different policy (SQL) for incoming and outgoing mails: Incoming - spamcheck (port 10024) - viruscheck (D_PASS) - W/B lists (for individual users ??) - pen pals Outgoing (port 10025) - viruscheck (D_DISCARD) - build up pen pals lists Is there any problems in that? There is probably no need to fiddle with %sql_clause in policy banks, this looks like a straightforward use of settings in policy banks. Can I do that? If do this: $policy_bank{'OUTGOING'} = { bypass_spam_checks_maps = [1], # don't spam-check internal mail bypass_banned_checks_maps = [1], # don't banned-check internal mail final_virus_destiny = D_DISCARD, }; It seems like these parameters is always overwritten by the SQL policy table? I was wrong this works fine: $interface_policy{'10025'} = 'OUTGOING'; $policy_bank{'OUTGOING'} = { bypass_spam_checks_maps = [1], # don't spam-check internal mail bypass_banned_checks_maps = [1], # don't banned-check internal mail bypass_spam_checks_maps = [0], bypass_banned_checks_maps = [0], final_virus_destiny = D_DISCARD, }; Cheers Martin - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Question about some log information
-Original Message- From: Thomas Vogt [mailto:[EMAIL PROTECTED] Sent: Thursday, May 17, 2007 9:44 AM To: MrC Cc: amavis-user@lists.sourceforge.net Subject: Re: [AMaViS-user] Question about some log information Hello Thank you. I have assumed it but was not sure. Nn most cases, should this not be the same ip for %a and %e? In many cases, it will be. But consider a mailing list, or mail provider. The first IP will always been the client's IP (eg. the MTA), if available. The second is the *originator*, which would be, for example, your home machine (eg. the MUA). In fact your email to this list showed two different IPs, which make sense. I checked a few thousand CLEAN marked emails (of course some of them was spam too but not detected). More than 95% of this emails had the same ip for %a and %e. I guess the 5% with different ips in %a compared to %e was spam. Nearly 100% of SPAM marked emails have different ips in %a compared to %e. May this be a way to collect spamer and block this ips or would this produce many many false blocked ips? Use RBLs - that's what they are for. This mechanism would not be reliable. Cheers, Thomas MrC MrC wrote: Perhaps someone can explain me some amavis log entries. It's amavisd-new 2.4.5 with default config. I got (shorted): amavis[48404]:(48404-01-9) Passed SPAM, [212.71.111.45] [89.220.41.153] amavis[48123]:(48123-01-13) Passed SPAM, [88.238.102.203] [47.62.141.62] Whats the first ip in the brackets after Passed SPAM and whats the second one? I checked the README.customized but it's not 100% clear for me. Regards, Thomas The first IP is %a, the second IP is %e, which are specified in the README.customize: a original SMTP session client IP address(empty if unknown,e.g. no XFORWARD) e best guess of the originator IP address collected from the Received trace MrC -- --- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/ -- UNIX is basically a simple operating system, but you have to be a genius to understand the simplicity. Dennis Ritchie - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] SQL and 'policy banks'
Martin, It seems like these parameters is always overwritten by the SQL policy table? I was wrong this works fine: These static settings are only overruled by values from SQL if corresponding SQL fields are not NULL (and they exist). Mark - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] [sa_spam_report_header = 1] Producing broken report text
Anant Nitya, I have enabled __ sa_spam_report_header = 1 __ in my amavisd.conf, it works for few and produces broken text for others. amavisd-new-2.5.0, perl 5.8.8 [BROKEN REPORT HEADER] X-Spam-Status: Yes, score=47.791 required=6 tests=[BAYES_99=3.5, DCC_CHECK=2.17, DIGEST_MULTIPLE=0.765, DNS_FROM_RFC_WHOIS=1.447, HTML_40_50=0.496, HTML_MESSAGE=0.001, PYZOR_CHECK=3.7, ... X-Spam-Report: =?iso-8859-1?Q?=0A=0A*__1=2E0_RELAY=5FRU_=C2=A0_=C2=A0_=C2=A0_Relayed_thr?= =?iso-8859-1?Q?ough_Russia=0A*__0=2E5_HTML=5F40=5F50_BODY=3A_Message_is_4?= =?iso-8859-1?Q?0=25_to_50=25_HTML=0A*__0=2E0_HTML=5FMESSAGE_BODY=3A_HTML_?= ... I presume the X-Spam-Report was wrapped by your posting, and was originally contained in one long header line (not longer than 998 characters). So what remains is inapproriate rfc2047-quoting of newlines, and unnecessary quoting of those lines not containing 8-bit characters, which lead to an ugly and difficult-to-read information in a header. Note that 8-bit characters are not allowed in a header, so some form of quoting or sanitation can not be avoided. The following patch should fix it: --- amavisd~Mon Apr 23 05:25:30 2007 +++ amavisd Fri May 18 02:08:21 2007 @@ -1847,6 +1847,7 @@ my($head,$rest,$tail) = ($1,$2,$3); # Q-encode $rest according to RFC 2047 - # more restricted than =?_ so that it may be used in 'phrase' - $rest =~ s{([^ 0-9a-zA-Z!*/+-])}{sprintf('=%02X',ord($1))}egs; +# # more restricted than =?_ so that it may be used in 'phrase' +# $rest =~ s{([^ 0-9a-zA-Z!*/+-])}{sprintf('=%02X',ord($1))}egs; + $rest =~ s{([^\001-\011\013\014\016-\177])}{sprintf('=%02X',ord($1))}egs; $rest =~ tr/ /_/; # turn spaces into _ (rfc2047 allows it) my($s) = $head; my($len) = 75 - (length($prefix)+length($suffix)) - 2; @@ -5396,10 +5397,9 @@ } my($qb) = c('hdr_encoding_qb'); -if (uc($qb) eq 'Q') { - $field_body = q_encode($field_body_octets, $qb, c('hdr_encoding')); -} else { - $field_body = MIME::Words::encode_mimeword($field_body_octets, - $qb, c('hdr_encoding')); -} +my($encoder_func) = uc($qb) eq 'Q' ? \q_encode + : \MIME::Words::encode_mimeword; +$field_body = join(\n, map { /^[\001-\011\013\014\016-\177]*\z/ ? $_ : + $encoder_func($_,$qb,c('hdr_encoding')) } + split(/\n/, $field_body_octets, -1)); } else { # supposed to be in plain ASCII, let's make sure it is $field_body = safe_encode('ascii', $field_body); Mark - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/