Bug#369542: marked as done (security problem in ssmtp package (password exposure))
Your message dated Sun, 10 Dec 2006 01:47:02 +
with message-id [EMAIL PROTECTED]
and subject line Bug#369542: fixed in ssmtp 2.61-11
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
---BeginMessage---
Package: ssmtp
Version: 2.61
PREFACE: As I am a Gentoo Linux user, I first reported this to the
Gentoo team about 1 month ago. As yet nothing's happened, so I'm
reporting it upstream as well. The Gentoo bug URL is
https://bugs.gentoo.org/show_bug.cgi?id=132376
Here is a copy of the bug report. My apologies if this information is
duplicate. I hope for a speedy resolution.
Information leak in mail-mta/ssmtp leads to password exposure
Verified in mail-mta/ssmtp-2.61-r1, which is the latest I see in portage.
ssmtp allows you to specify a mail relay in /etc/ssmtp/ssmtp.conf which
requires a username and password. For example, this is a valid ssmtp.conf:
mailhub=mail.1dnb.com
rewriteDomain=mail.1dnb.com
#hostname=
FromLineOverride=YES
#UseTLS=NO
UseSTARTTLS=YES
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
AuthPass=123456
AuthMethod=LOGIN
naturally, my AUTH SMTP password is in there - so I have done the following:
chown root:mail /etc/ssmtp/ssmtp.conf
chmod 640 /etc/ssmtp/ssmtp.conf
chown root:mail /usr/sbin/ssmtp
chmod 2711 /usr/sbin/ssmtp
giving...
-rw-r- 1 root mail 1279 2006-05-05 19:39 /etc/ssmtp/ssmtp.conf
-rwx--s--x 1 root mail 27268 2006-05-05 19:28 /usr/sbin/ssmtp
...as intended.
however, as an unprivileged user,
[EMAIL PROTECTED] ~ $ mail -v -s 'This is a test.' [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]
Hi. Nothing else.
Cc:
[-] 220 rain.1dnb.com ESMTP
[-] EHLO marshmallow
[-] 250 SIZE 0
[-] STARTTLS
[-] 220 ready for tls
[-] EHLO marshmallow
[-] 250 SIZE 0
[-] AUTH LOGIN bWVAYmVuLXhvLmNvbQ==
[-] 334 UGFzc3dvcmQ6
[-] MTIzNDU2
[-] 235 ok, go ahead (#2.0.0)
[-] MAIL FROM:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
[-] 250 ok
[-] RCPT TO:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
[-] 250 ok
[-] DATA
[-] 354 go ahead
[-] Received: by marshmallow (sSMTP sendmail emulation); Fri, 5 May 2006
21:23:02 +0100
[-] From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
[-] Date: Fri, 5 May 2006 21:23:02 +0100
[-] To: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
[-] Subject: This is a test.
[-]
[-] Hi. Nothing else.
[-] .
[-] 250 ok 1146860502 qp 8976
[-] QUIT
[-] 221 rain.1dnb.com
All I can say is... oops. As you can see, the password is quite clearly visible
in the output (albeit base64 encoded).
Patch attached that removes this specific information leak (the rest of the
info is left in for debugging).
A more secure (optional?) patch would possibly remove the username, or the -v
option altogether.
with the patch, we get the following output instead:
[EMAIL PROTECTED] ~ $ mail -v -s a test! hah. [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]
Hi. This is all, 2.
Cc:
[-] 220 rain.1dnb.com ESMTP
[-] EHLO marshmallow
[-] 250 SIZE 0
[-] STARTTLS
[-] 220 ready for tls
[-] EHLO marshmallow
[-] 250 SIZE 0
[-] AUTH LOGIN bWVAYmVuLXhvLmNvbQ==
[-] 334 UGFzc3dvcmQ6
[-] 235 ok, go ahead (#2.0.0)
[-] MAIL FROM:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
[-] 250 ok
[-] RCPT TO:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
[-] 250 ok
[-] DATA
[-] 354 go ahead
[-] Received: by marshmallow (sSMTP sendmail emulation); Fri, 5 May 2006
21:26:59 +0100
[-] From: root [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
[-] Date: Fri, 5 May 2006 21:26:59 +0100
[-] To: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
[-] Subject: a test! hah.
[-]
[-] Hi. This is all, 2.
[-] .
[-] 250 ok 1146860738 qp 31085
[-] QUIT
[-] 221 rain.1dnb.com
--- ssmtp-2.61/ssmtp.c 2004-07-23 06:58:48.0 +0100
+++ ssmtp-2.61+auth_login_minus_v_patch/ssmtp.c 2006-05-05 20:26:07.0
+0100
@@ -1281,6 +1281,7 @@
struct passwd *pw;
int i, sock;
uid_t uid;
+ bool_t minus_v_save;
uid = getuid();
if((pw = getpwuid(uid)) == (struct passwd *)NULL) {
@@ -1381,7 +1382,13 @@
#ifdef MD5AUTH
}
#endif
+/* We do NOT want the password output to STDERR
+* even base64 encoded.*/
+ minus_v_save = minus_v;
+ minus_v = False;
smtp_write(sock, %s, buf);
+ minus_v = minus_v_save;
+
(void)alarm((unsigned) MEDWAIT);
if(smtp_okay(sock, buf) == False) {
(EOF)
--
Ben XO
---End Message---
---BeginMessage---
Source: ssmtp
Source-Version: 2.61-11
We believe that the bug you reported is fixed in the latest version of
ssmtp, which is
Bug#369542: marked as done (security problem in ssmtp package (password exposure))
Your message dated Mon, 04 Dec 2006 13:47:03 +
with message-id [EMAIL PROTECTED]
and subject line Bug#369542: fixed in ssmtp 2.61-10.1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
---BeginMessage---
Package: ssmtp
Version: 2.61
PREFACE: As I am a Gentoo Linux user, I first reported this to the
Gentoo team about 1 month ago. As yet nothing's happened, so I'm
reporting it upstream as well. The Gentoo bug URL is
https://bugs.gentoo.org/show_bug.cgi?id=132376
Here is a copy of the bug report. My apologies if this information is
duplicate. I hope for a speedy resolution.
Information leak in mail-mta/ssmtp leads to password exposure
Verified in mail-mta/ssmtp-2.61-r1, which is the latest I see in portage.
ssmtp allows you to specify a mail relay in /etc/ssmtp/ssmtp.conf which
requires a username and password. For example, this is a valid ssmtp.conf:
mailhub=mail.1dnb.com
rewriteDomain=mail.1dnb.com
#hostname=
FromLineOverride=YES
#UseTLS=NO
UseSTARTTLS=YES
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
AuthPass=123456
AuthMethod=LOGIN
naturally, my AUTH SMTP password is in there - so I have done the following:
chown root:mail /etc/ssmtp/ssmtp.conf
chmod 640 /etc/ssmtp/ssmtp.conf
chown root:mail /usr/sbin/ssmtp
chmod 2711 /usr/sbin/ssmtp
giving...
-rw-r- 1 root mail 1279 2006-05-05 19:39 /etc/ssmtp/ssmtp.conf
-rwx--s--x 1 root mail 27268 2006-05-05 19:28 /usr/sbin/ssmtp
...as intended.
however, as an unprivileged user,
[EMAIL PROTECTED] ~ $ mail -v -s 'This is a test.' [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]
Hi. Nothing else.
Cc:
[-] 220 rain.1dnb.com ESMTP
[-] EHLO marshmallow
[-] 250 SIZE 0
[-] STARTTLS
[-] 220 ready for tls
[-] EHLO marshmallow
[-] 250 SIZE 0
[-] AUTH LOGIN bWVAYmVuLXhvLmNvbQ==
[-] 334 UGFzc3dvcmQ6
[-] MTIzNDU2
[-] 235 ok, go ahead (#2.0.0)
[-] MAIL FROM:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
[-] 250 ok
[-] RCPT TO:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
[-] 250 ok
[-] DATA
[-] 354 go ahead
[-] Received: by marshmallow (sSMTP sendmail emulation); Fri, 5 May 2006
21:23:02 +0100
[-] From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
[-] Date: Fri, 5 May 2006 21:23:02 +0100
[-] To: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
[-] Subject: This is a test.
[-]
[-] Hi. Nothing else.
[-] .
[-] 250 ok 1146860502 qp 8976
[-] QUIT
[-] 221 rain.1dnb.com
All I can say is... oops. As you can see, the password is quite clearly visible
in the output (albeit base64 encoded).
Patch attached that removes this specific information leak (the rest of the
info is left in for debugging).
A more secure (optional?) patch would possibly remove the username, or the -v
option altogether.
with the patch, we get the following output instead:
[EMAIL PROTECTED] ~ $ mail -v -s a test! hah. [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]
Hi. This is all, 2.
Cc:
[-] 220 rain.1dnb.com ESMTP
[-] EHLO marshmallow
[-] 250 SIZE 0
[-] STARTTLS
[-] 220 ready for tls
[-] EHLO marshmallow
[-] 250 SIZE 0
[-] AUTH LOGIN bWVAYmVuLXhvLmNvbQ==
[-] 334 UGFzc3dvcmQ6
[-] 235 ok, go ahead (#2.0.0)
[-] MAIL FROM:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
[-] 250 ok
[-] RCPT TO:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
[-] 250 ok
[-] DATA
[-] 354 go ahead
[-] Received: by marshmallow (sSMTP sendmail emulation); Fri, 5 May 2006
21:26:59 +0100
[-] From: root [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
[-] Date: Fri, 5 May 2006 21:26:59 +0100
[-] To: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
[-] Subject: a test! hah.
[-]
[-] Hi. This is all, 2.
[-] .
[-] 250 ok 1146860738 qp 31085
[-] QUIT
[-] 221 rain.1dnb.com
--- ssmtp-2.61/ssmtp.c 2004-07-23 06:58:48.0 +0100
+++ ssmtp-2.61+auth_login_minus_v_patch/ssmtp.c 2006-05-05 20:26:07.0
+0100
@@ -1281,6 +1281,7 @@
struct passwd *pw;
int i, sock;
uid_t uid;
+ bool_t minus_v_save;
uid = getuid();
if((pw = getpwuid(uid)) == (struct passwd *)NULL) {
@@ -1381,7 +1382,13 @@
#ifdef MD5AUTH
}
#endif
+/* We do NOT want the password output to STDERR
+* even base64 encoded.*/
+ minus_v_save = minus_v;
+ minus_v = False;
smtp_write(sock, %s, buf);
+ minus_v = minus_v_save;
+
(void)alarm((unsigned) MEDWAIT);
if(smtp_okay(sock, buf) == False) {
(EOF)
--
Ben XO
---End Message---
---BeginMessage---
Source: ssmtp
Source-Version: 2.61-10.1
We believe that the bug you reported is fixed in the latest version of
ssmtp,
