Re: How did it happen?
February 1, 2020 2:01 PM, "Uwe Werler" wrote: > Thank you very much Gilles for the insights. > > It's not really your fault because it's how our brain works. If we want to > get things working we > are concentrating to get them working - not how to break them. It's amazing > that the code worked > like "intended" - that means you are a very good dev. Logical fallacies hit > us every day - we are > human. > it is my fault but that's the way it is, error is human. if more people wanted to contribute we could limit risks for logic mistakes, but as of now there's very few people interested in diving into smtpd. > I would give +1 to not to deliver mails directly to root. > working on it
Re: How did it happen?
Am 31. Januar 2020 18:48:51 GMT+00:00 schrieb gil...@poolp.org: >January 30, 2020 4:44 PM, gil...@poolp.org wrote: > >> It depends on your configuration, not all setups are vulnerable. >> >> I think I recall your name from the comments on my tutorial and this >is a >> setup that would not be vulnerable for example. The bug still exists, >but >> it can't be used to exploit the same code path. >> >> You should update, this is not something you want to rely on. >> >> I'm writing a _very_ detailed post-mortem which will go into the >details, >> I just want to give it a few days to make sure it is as informative >as it >> should. >> > > >As promised, I have written a (too much ?) detailed write-up about the >recent event: > >https://poolp.org/posts/2020-01-30/opensmtpd-advisory-dissected/ > >Hope it clarifies what happened and plans for the future. > >Gilles Thank you very much Gilles for the insights. It's not really your fault because it's how our brain works. If we want to get things working we are concentrating to get them working - not how to break them. It's amazing that the code worked like "intended" - that means you are a very good dev. Logical fallacies hit us every day - we are human. I would give +1 to not to deliver mails directly to root.
Re: How did it happen?
Really great article. Was very fun to read. And again thanks for your work on osmtpd, am actually sending from a server set up from your poolp post :D Sucks about the bug, but logic errors are the wurst. Take care. --- Aisha blog.aisha.cc On 2020-01-31 13:48, gil...@poolp.org wrote: January 30, 2020 4:44 PM, gil...@poolp.org wrote: It depends on your configuration, not all setups are vulnerable. I think I recall your name from the comments on my tutorial and this is a setup that would not be vulnerable for example. The bug still exists, but it can't be used to exploit the same code path. You should update, this is not something you want to rely on. I'm writing a _very_ detailed post-mortem which will go into the details, I just want to give it a few days to make sure it is as informative as it should. As promised, I have written a (too much ?) detailed write-up about the recent event: https://poolp.org/posts/2020-01-30/opensmtpd-advisory-dissected/ Hope it clarifies what happened and plans for the future. Gilles
Re: How did it happen?
January 30, 2020 4:44 PM, gil...@poolp.org wrote: > It depends on your configuration, not all setups are vulnerable. > > I think I recall your name from the comments on my tutorial and this is a > setup that would not be vulnerable for example. The bug still exists, but > it can't be used to exploit the same code path. > > You should update, this is not something you want to rely on. > > I'm writing a _very_ detailed post-mortem which will go into the details, > I just want to give it a few days to make sure it is as informative as it > should. > As promised, I have written a (too much ?) detailed write-up about the recent event: https://poolp.org/posts/2020-01-30/opensmtpd-advisory-dissected/ Hope it clarifies what happened and plans for the future. Gilles
Re: How did it happen?
It depends on your configuration, not all setups are vulnerable. I think I recall your name from the comments on my tutorial and this is a setup that would not be vulnerable for example. The bug still exists, but it can't be used to exploit the same code path. You should update, this is not something you want to rely on. I'm writing a _very_ detailed post-mortem which will go into the details, I just want to give it a few days to make sure it is as informative as it should. January 30, 2020 4:09 PM, "Flipchan" wrote: > Has anyone verified that it writes to disk as the qualysis report says ? > > I have tried on 6.5 and 6.4 but its not writing to disk > > https://www.qualys.com/2020/01/28/cve-2020-7247/lpe-rce-opensmtpd.txt > > On January 29, 2020 2:07:38 PM GMT+01:00, Oriol Demaria > wrote: > >> I understand that root might be required to open privileged ports, but >> then how commands are run as root when you exploit opensmtpd >> vulnerability? >> >> In case someone hasn't seen patch right now your system. >> >> Regards. >> -- >> Oriol Demaria >> 0x58415679 > > -- > Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: How did it happen?
Never mind it, its working On January 30, 2020 4:09:23 PM GMT+01:00, Flipchan wrote: >Has anyone verified that it writes to disk as the qualysis report says >? > >I have tried on 6.5 and 6.4 but its not writing to disk > > > >https://www.qualys.com/2020/01/28/cve-2020-7247/lpe-rce-opensmtpd.txt > > > > >On January 29, 2020 2:07:38 PM GMT+01:00, Oriol Demaria > wrote: >>I understand that root might be required to open privileged ports, but >>then how commands are run as root when you exploit opensmtpd >>vulnerability? >> >>In case someone hasn't seen patch right now your system. >> >>Regards. >>-- >>Oriol Demaria >>0x58415679 > >-- >Sent from my Android device with K-9 Mail. Please excuse my brevity. -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: How did it happen?
Has anyone verified that it writes to disk as the qualysis report says ? I have tried on 6.5 and 6.4 but its not writing to disk https://www.qualys.com/2020/01/28/cve-2020-7247/lpe-rce-opensmtpd.txt On January 29, 2020 2:07:38 PM GMT+01:00, Oriol Demaria wrote: >I understand that root might be required to open privileged ports, but >then how commands are run as root when you exploit opensmtpd >vulnerability? > >In case someone hasn't seen patch right now your system. > >Regards. >-- >Oriol Demaria >0x58415679 -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: How did it happen?
January 29, 2020 7:00 PM, "Stuart Henderson" wrote: > > I hesitate to mention it in case it puts anyone off from updating (DON'T > DO THAT, YOU SHOULD UPDATE!) but it is easy to configure to avoid the > root-escalation aspect of this bug - and many readers will already be > doing this, especially if they maintain multiple systems: forward root's > mail (via /root/.forward or aliases) off the machine. I haven't tested > but presume the same bug also allows running as another (non-root) user > so it's not a complete workaround, but is something that can be done > quickly while planning a more complicated upgrade. > that's not sufficient because for mbox delivery, the privilege drop is done by the mail.local utility. there are mitigations, like switching to maildir or blocking mail-from with a builtin filter, but I would not advise doing that. As you said: DON'T DO THAT, update is the only safe path
Re: How did it happen?
On 2020-01-29, Oriol Demaria wrote: > I understand that root might be required to open privileged ports, but then > how commands are run as root when you exploit opensmtpd vulnerability? For a clue: ls -l /var/mail How are those messages delivered to those files with those permissions? > In case someone hasn't seen patch right now your system. Affected versions: 6.4 to 6.6, -current between May 2018 and today. Syspatches are available for 6.5 and 6.6. More details about the bug as discovered: https://www.qualys.com/2020/01/28/cve-2020-7247/lpe-rce-opensmtpd.txt In a default OpenBSD installation this gives a local-only root escalation. This can still be quite bad e.g. if you have a webserver which has access to send mail via smtpd on localhost and you allow less-trusted users to upload PHP scripts etc, or if you have a multi-user system with untrusted users. (If you have a single user system running untrustworthy software, "don't do that"! - it could be used as an escalation there too, but unless you're rather careful there are probably several other unrelated possible escalations - if you're sat there thinking that this case is is important but you also have sudo/doas configured with nopasswd access then it is time to reevaluate priorities:-) I hesitate to mention it in case it puts anyone off from updating (DON'T DO THAT, YOU SHOULD UPDATE!) but it is easy to configure to avoid the root-escalation aspect of this bug - and many readers will already be doing this, especially if they maintain multiple systems: forward root's mail (via /root/.forward or aliases) off the machine. I haven't tested but presume the same bug also allows running as another (non-root) user so it's not a complete workaround, but is something that can be done quickly while planning a more complicated upgrade.
Re: How did it happen?
On 2020-01-29 13:07, Oriol Demaria wrote: > I understand that root might be required to open privileged ports, but then > how commands are run as root when you exploit opensmtpd vulnerability? Giles has said further information is coming but it root isn't just required for privileged ports but also other things like creating files owned by various users etc. Looks to me like some extra checks, created an issue. Should be an interesting read.
Re: How did it happen?
smtpd needs to be able to execute mda with user privileges to deliver mail to them, it cannot revoke all its privileges after binding ports. furthermore, mbox needs to be able to write to /var/mail forcing it to retain some privileges. after I'm done dealing with the aftermath, i'll explain in a detailed mail what has allowed the bug to amplify from a simple logic issue to a catastrophe, and the plan to prevent future logic bug from having the same potential. January 29, 2020 2:07 PM, "Oriol Demaria" wrote: > I understand that root might be required to open privileged ports, but then > how commands are run as > root when you exploit opensmtpd vulnerability? > > In case someone hasn't seen patch right now your system. > > Regards. > -- > Oriol Demaria > 0x58415679
How did it happen?
I understand that root might be required to open privileged ports, but then how commands are run as root when you exploit opensmtpd vulnerability? In case someone hasn't seen patch right now your system. Regards. -- Oriol Demaria 0x58415679
