Bug#369542: marked as done (security problem in ssmtp package (password exposure))

Debian Bug Tracking System Sat, 09 Dec 2006 18:27:43 -0800

Your message dated Sun, 10 Dec 2006 01:47:02 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#369542: fixed in ssmtp 2.61-11
has caused the attached Bug report to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

Package: ssmtp
Version: 2.61


PREFACE: As I am a Gentoo Linux user, I first reported this to the
Gentoo team about 1 month ago. As yet nothing's happened, so I'm
reporting it upstream as well. The Gentoo bug URL is
https://bugs.gentoo.org/show_bug.cgi?id=132376

Here is a copy of the bug report. My apologies if this information is
duplicate. I hope for a speedy resolution.

"Information leak in mail-mta/ssmtp leads to password exposure"

Verified in mail-mta/ssmtp-2.61-r1, which is the latest I see in portage.

ssmtp allows you to specify a mail relay in /etc/ssmtp/ssmtp.conf which
requires a username and password. For example, this is a valid ssmtp.conf:



mailhub=mail.1dnb.com
rewriteDomain=mail.1dnb.com
#hostname=
FromLineOverride=YES
#UseTLS=NO
UseSTARTTLS=YES
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
AuthPass=123456
AuthMethod=LOGIN


naturally, my AUTH SMTP password is in there - so I have done the following:

chown root:mail /etc/ssmtp/ssmtp.conf
chmod 640 /etc/ssmtp/ssmtp.conf
chown root:mail /usr/sbin/ssmtp
chmod 2711 /usr/sbin/ssmtp

giving...

-rw-r----- 1 root mail  1279 2006-05-05 19:39 /etc/ssmtp/ssmtp.conf
-rwx--s--x 1 root mail 27268 2006-05-05 19:28 /usr/sbin/ssmtp

...as intended.

however, as an unprivileged user,

[EMAIL PROTECTED] ~ $ mail -v -s 'This is a test.' [EMAIL PROTECTED] 
<mailto:[EMAIL PROTECTED]>
Hi. Nothing else.
Cc:
[<-] 220 rain.1dnb.com ESMTP
[->] EHLO marshmallow
[<-] 250 SIZE 0
[->] STARTTLS
[<-] 220 ready for tls
[->] EHLO marshmallow
[<-] 250 SIZE 0
[->] AUTH LOGIN bWVAYmVuLXhvLmNvbQ==
[<-] 334 UGFzc3dvcmQ6
[->] MTIzNDU2
[<-] 235 ok, go ahead (#2.0.0)
[->] MAIL FROM:<[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>
[<-] 250 ok
[->] RCPT TO:<[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>
[<-] 250 ok
[->] DATA
[<-] 354 go ahead
[->] Received: by marshmallow (sSMTP sendmail emulation); Fri,  5 May 2006
21:23:02 +0100
[->] From: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
[->] Date: Fri,  5 May 2006 21:23:02 +0100
[->] To: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
[->] Subject: This is a test.
[->]
[->] Hi. Nothing else.
[->] .
[<-] 250 ok 1146860502 qp 8976
[->] QUIT
[<-] 221 rain.1dnb.com


All I can say is... oops. As you can see, the password is quite clearly visible
in the output (albeit base64 encoded).

Patch attached that removes this specific information leak (the rest of the
info is left in for debugging). 

A more secure (optional?) patch would possibly remove the username, or the -v
option altogether.

with the patch, we get the following output instead:

[EMAIL PROTECTED] ~ $ mail -v -s "a test! hah." [EMAIL PROTECTED] 
<mailto:[EMAIL PROTECTED]>
Hi. This is all, 2.
Cc:
[<-] 220 rain.1dnb.com ESMTP
[->] EHLO marshmallow
[<-] 250 SIZE 0
[->] STARTTLS
[<-] 220 ready for tls
[->] EHLO marshmallow
[<-] 250 SIZE 0
[->] AUTH LOGIN bWVAYmVuLXhvLmNvbQ==
[<-] 334 UGFzc3dvcmQ6
[<-] 235 ok, go ahead (#2.0.0)
[->] MAIL FROM:<[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>
[<-] 250 ok
[->] RCPT TO:<[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>
[<-] 250 ok
[->] DATA
[<-] 354 go ahead
[->] Received: by marshmallow (sSMTP sendmail emulation); Fri,  5 May 2006
21:26:59 +0100
[->] From: "root" <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>
[->] Date: Fri,  5 May 2006 21:26:59 +0100
[->] To: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
[->] Subject: a test! hah.
[->]
[->] Hi. This is all, 2.
[->] .
[<-] 250 ok 1146860738 qp 31085
[->] QUIT
[<-] 221 rain.1dnb.com


--- ssmtp-2.61/ssmtp.c  2004-07-23 06:58:48.000000000 +0100
+++ ssmtp-2.61+auth_login_minus_v_patch/ssmtp.c 2006-05-05 20:26:07.000000000 
+0100
@@ -1281,6 +1281,7 @@
        struct passwd *pw;
        int i, sock;
        uid_t uid;
+       bool_t minus_v_save;

        uid = getuid();
        if((pw = getpwuid(uid)) == (struct passwd *)NULL) {
@@ -1381,7 +1382,13 @@
 #ifdef MD5AUTH
                }
 #endif
+                /* We do NOT want the password output to STDERR
+                * even base64 encoded.*/
+               minus_v_save = minus_v;
+               minus_v = False;
                smtp_write(sock, "%s", buf);
+               minus_v = minus_v_save;
+
                (void)alarm((unsigned) MEDWAIT);

                if(smtp_okay(sock, buf) == False) {

(EOF)

--  
Ben XO

--- End Message ---

--- Begin Message ---

Source: ssmtp
Source-Version: 2.61-11

We believe that the bug you reported is fixed in the latest version of
ssmtp, which is due to be installed in the Debian FTP archive:

ssmtp_2.61-11.diff.gz
  to pool/main/s/ssmtp/ssmtp_2.61-11.diff.gz
ssmtp_2.61-11.dsc
  to pool/main/s/ssmtp/ssmtp_2.61-11.dsc
ssmtp_2.61-11_i386.deb
  to pool/main/s/ssmtp/ssmtp_2.61-11_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Anibal Monsalve Salazar <[EMAIL PROTECTED]> (supplier of updated ssmtp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 10 Dec 2006 12:15:28 +1100
Source: ssmtp
Binary: ssmtp
Architecture: source i386
Version: 2.61-11
Distribution: unstable
Urgency: low
Maintainer: Anibal Monsalve Salazar <[EMAIL PROTECTED]>
Changed-By: Anibal Monsalve Salazar <[EMAIL PROTECTED]>
Description: 
 ssmtp      - extremely simple MTA to get mail off the system to a mail hub
Closes: 369542 394106
Changes: 
 ssmtp (2.61-11) unstable; urgency=low
 .
   * ACK NMU. Closes: #369542.
   * Updated Japanese debconf translation. Closes: #394106.
     Patch by Hideki Yamane <[EMAIL PROTECTED]>.
Files: 
 d1549209bf7b8083665cc9868c8e0f00 623 mail extra ssmtp_2.61-11.dsc
 b589301689e49edc2dd3b8188bfe7072 32370 mail extra ssmtp_2.61-11.diff.gz
 5c28d489e1919c017e9f36ad88a1a70e 42702 mail extra ssmtp_2.61-11_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFFe2PIipBneRiAKDwRAs9KAKCSJ67cQuX3mAEkMW7vc8nVjWyRZACgkmSa
mgAr/hXdya3PZrFezDO0M1s=
=EGzs
-----END PGP SIGNATURE-----

--- End Message ---

Bug#369542: marked as done (security problem in ssmtp package (password exposure))

Reply via email to