Bug#369542: marked as done (security problem in ssmtp package (password exposure))
Your message dated Sun, 10 Dec 2006 01:47:02 + with message-id [EMAIL PROTECTED] and subject line Bug#369542: fixed in ssmtp 2.61-11 has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) ---BeginMessage--- Package: ssmtp Version: 2.61 PREFACE: As I am a Gentoo Linux user, I first reported this to the Gentoo team about 1 month ago. As yet nothing's happened, so I'm reporting it upstream as well. The Gentoo bug URL is https://bugs.gentoo.org/show_bug.cgi?id=132376 Here is a copy of the bug report. My apologies if this information is duplicate. I hope for a speedy resolution. Information leak in mail-mta/ssmtp leads to password exposure Verified in mail-mta/ssmtp-2.61-r1, which is the latest I see in portage. ssmtp allows you to specify a mail relay in /etc/ssmtp/ssmtp.conf which requires a username and password. For example, this is a valid ssmtp.conf: mailhub=mail.1dnb.com rewriteDomain=mail.1dnb.com #hostname= FromLineOverride=YES #UseTLS=NO UseSTARTTLS=YES [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] AuthPass=123456 AuthMethod=LOGIN naturally, my AUTH SMTP password is in there - so I have done the following: chown root:mail /etc/ssmtp/ssmtp.conf chmod 640 /etc/ssmtp/ssmtp.conf chown root:mail /usr/sbin/ssmtp chmod 2711 /usr/sbin/ssmtp giving... -rw-r- 1 root mail 1279 2006-05-05 19:39 /etc/ssmtp/ssmtp.conf -rwx--s--x 1 root mail 27268 2006-05-05 19:28 /usr/sbin/ssmtp ...as intended. however, as an unprivileged user, [EMAIL PROTECTED] ~ $ mail -v -s 'This is a test.' [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Hi. Nothing else. Cc: [-] 220 rain.1dnb.com ESMTP [-] EHLO marshmallow [-] 250 SIZE 0 [-] STARTTLS [-] 220 ready for tls [-] EHLO marshmallow [-] 250 SIZE 0 [-] AUTH LOGIN bWVAYmVuLXhvLmNvbQ== [-] 334 UGFzc3dvcmQ6 [-] MTIzNDU2 [-] 235 ok, go ahead (#2.0.0) [-] MAIL FROM:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [-] 250 ok [-] RCPT TO:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [-] 250 ok [-] DATA [-] 354 go ahead [-] Received: by marshmallow (sSMTP sendmail emulation); Fri, 5 May 2006 21:23:02 +0100 [-] From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [-] Date: Fri, 5 May 2006 21:23:02 +0100 [-] To: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [-] Subject: This is a test. [-] [-] Hi. Nothing else. [-] . [-] 250 ok 1146860502 qp 8976 [-] QUIT [-] 221 rain.1dnb.com All I can say is... oops. As you can see, the password is quite clearly visible in the output (albeit base64 encoded). Patch attached that removes this specific information leak (the rest of the info is left in for debugging). A more secure (optional?) patch would possibly remove the username, or the -v option altogether. with the patch, we get the following output instead: [EMAIL PROTECTED] ~ $ mail -v -s a test! hah. [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Hi. This is all, 2. Cc: [-] 220 rain.1dnb.com ESMTP [-] EHLO marshmallow [-] 250 SIZE 0 [-] STARTTLS [-] 220 ready for tls [-] EHLO marshmallow [-] 250 SIZE 0 [-] AUTH LOGIN bWVAYmVuLXhvLmNvbQ== [-] 334 UGFzc3dvcmQ6 [-] 235 ok, go ahead (#2.0.0) [-] MAIL FROM:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [-] 250 ok [-] RCPT TO:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [-] 250 ok [-] DATA [-] 354 go ahead [-] Received: by marshmallow (sSMTP sendmail emulation); Fri, 5 May 2006 21:26:59 +0100 [-] From: root [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [-] Date: Fri, 5 May 2006 21:26:59 +0100 [-] To: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [-] Subject: a test! hah. [-] [-] Hi. This is all, 2. [-] . [-] 250 ok 1146860738 qp 31085 [-] QUIT [-] 221 rain.1dnb.com --- ssmtp-2.61/ssmtp.c 2004-07-23 06:58:48.0 +0100 +++ ssmtp-2.61+auth_login_minus_v_patch/ssmtp.c 2006-05-05 20:26:07.0 +0100 @@ -1281,6 +1281,7 @@ struct passwd *pw; int i, sock; uid_t uid; + bool_t minus_v_save; uid = getuid(); if((pw = getpwuid(uid)) == (struct passwd *)NULL) { @@ -1381,7 +1382,13 @@ #ifdef MD5AUTH } #endif +/* We do NOT want the password output to STDERR +* even base64 encoded.*/ + minus_v_save = minus_v; + minus_v = False; smtp_write(sock, %s, buf); + minus_v = minus_v_save; + (void)alarm((unsigned) MEDWAIT); if(smtp_okay(sock, buf) == False) { (EOF) -- Ben XO ---End Message--- ---BeginMessage--- Source: ssmtp Source-Version: 2.61-11 We believe that the bug you reported is fixed in the latest version of ssmtp, which is
Bug#369542: marked as done (security problem in ssmtp package (password exposure))
Your message dated Mon, 04 Dec 2006 13:47:03 + with message-id [EMAIL PROTECTED] and subject line Bug#369542: fixed in ssmtp 2.61-10.1 has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) ---BeginMessage--- Package: ssmtp Version: 2.61 PREFACE: As I am a Gentoo Linux user, I first reported this to the Gentoo team about 1 month ago. As yet nothing's happened, so I'm reporting it upstream as well. The Gentoo bug URL is https://bugs.gentoo.org/show_bug.cgi?id=132376 Here is a copy of the bug report. My apologies if this information is duplicate. I hope for a speedy resolution. Information leak in mail-mta/ssmtp leads to password exposure Verified in mail-mta/ssmtp-2.61-r1, which is the latest I see in portage. ssmtp allows you to specify a mail relay in /etc/ssmtp/ssmtp.conf which requires a username and password. For example, this is a valid ssmtp.conf: mailhub=mail.1dnb.com rewriteDomain=mail.1dnb.com #hostname= FromLineOverride=YES #UseTLS=NO UseSTARTTLS=YES [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] AuthPass=123456 AuthMethod=LOGIN naturally, my AUTH SMTP password is in there - so I have done the following: chown root:mail /etc/ssmtp/ssmtp.conf chmod 640 /etc/ssmtp/ssmtp.conf chown root:mail /usr/sbin/ssmtp chmod 2711 /usr/sbin/ssmtp giving... -rw-r- 1 root mail 1279 2006-05-05 19:39 /etc/ssmtp/ssmtp.conf -rwx--s--x 1 root mail 27268 2006-05-05 19:28 /usr/sbin/ssmtp ...as intended. however, as an unprivileged user, [EMAIL PROTECTED] ~ $ mail -v -s 'This is a test.' [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Hi. Nothing else. Cc: [-] 220 rain.1dnb.com ESMTP [-] EHLO marshmallow [-] 250 SIZE 0 [-] STARTTLS [-] 220 ready for tls [-] EHLO marshmallow [-] 250 SIZE 0 [-] AUTH LOGIN bWVAYmVuLXhvLmNvbQ== [-] 334 UGFzc3dvcmQ6 [-] MTIzNDU2 [-] 235 ok, go ahead (#2.0.0) [-] MAIL FROM:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [-] 250 ok [-] RCPT TO:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [-] 250 ok [-] DATA [-] 354 go ahead [-] Received: by marshmallow (sSMTP sendmail emulation); Fri, 5 May 2006 21:23:02 +0100 [-] From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [-] Date: Fri, 5 May 2006 21:23:02 +0100 [-] To: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [-] Subject: This is a test. [-] [-] Hi. Nothing else. [-] . [-] 250 ok 1146860502 qp 8976 [-] QUIT [-] 221 rain.1dnb.com All I can say is... oops. As you can see, the password is quite clearly visible in the output (albeit base64 encoded). Patch attached that removes this specific information leak (the rest of the info is left in for debugging). A more secure (optional?) patch would possibly remove the username, or the -v option altogether. with the patch, we get the following output instead: [EMAIL PROTECTED] ~ $ mail -v -s a test! hah. [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Hi. This is all, 2. Cc: [-] 220 rain.1dnb.com ESMTP [-] EHLO marshmallow [-] 250 SIZE 0 [-] STARTTLS [-] 220 ready for tls [-] EHLO marshmallow [-] 250 SIZE 0 [-] AUTH LOGIN bWVAYmVuLXhvLmNvbQ== [-] 334 UGFzc3dvcmQ6 [-] 235 ok, go ahead (#2.0.0) [-] MAIL FROM:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [-] 250 ok [-] RCPT TO:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [-] 250 ok [-] DATA [-] 354 go ahead [-] Received: by marshmallow (sSMTP sendmail emulation); Fri, 5 May 2006 21:26:59 +0100 [-] From: root [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [-] Date: Fri, 5 May 2006 21:26:59 +0100 [-] To: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [-] Subject: a test! hah. [-] [-] Hi. This is all, 2. [-] . [-] 250 ok 1146860738 qp 31085 [-] QUIT [-] 221 rain.1dnb.com --- ssmtp-2.61/ssmtp.c 2004-07-23 06:58:48.0 +0100 +++ ssmtp-2.61+auth_login_minus_v_patch/ssmtp.c 2006-05-05 20:26:07.0 +0100 @@ -1281,6 +1281,7 @@ struct passwd *pw; int i, sock; uid_t uid; + bool_t minus_v_save; uid = getuid(); if((pw = getpwuid(uid)) == (struct passwd *)NULL) { @@ -1381,7 +1382,13 @@ #ifdef MD5AUTH } #endif +/* We do NOT want the password output to STDERR +* even base64 encoded.*/ + minus_v_save = minus_v; + minus_v = False; smtp_write(sock, %s, buf); + minus_v = minus_v_save; + (void)alarm((unsigned) MEDWAIT); if(smtp_okay(sock, buf) == False) { (EOF) -- Ben XO ---End Message--- ---BeginMessage--- Source: ssmtp Source-Version: 2.61-10.1 We believe that the bug you reported is fixed in the latest version of ssmtp,