Bugtraq mailing list archives

Re: Nasty hole in postifx/procmail/cyrus

From: guenther () GAC EDU (Philip Guenther)
Date: Sun, 2 Jul 2000 20:04:04 -0500


Dylan Griffiths <Dylan_G () BIGFOOT COM> writes:

Secure Postfix+Procmail+Cyrus micro-howto

This is should be secure, as $1, $2, etc, are not trusted nor read.  Postfix
parses the user () domain dom part for us, and feeds USER= and EXTENSION= lines
to procmail, which works on those variables only


How is it more secure to pass the values as variable assignments on the
command line instead of as $1, $2, etc?  The error is in how the
variables are used, not what they are named.

The entry in master.cf for procmail to be used as a mailbox_transport:

procmail  unix  -       n       n       -       -       pipe
   flags=R user=cyrus argv=/usr/bin/procmail -p \
                /home/cyrus/procmail.common \
                USER=${user} EXTENSION=${extension}


Does postfix check $(user) and $(extension) for evil characters
(including whitespace) before passing them to procmail?  Does it require
$(user) to be an actual username?  If not the latter, you're still open
to the ../../etc/passwd hack, and if not the former then your recipes
still allow remote attackers to change the arguments passed to deliver.

Procmail's variable expansion style was derived from the shells, and
therefore suffers all its defects.  If you haven't sanitised it, _must_
double-quote untrusted data to prevent filename globbing and word
breaking.

...

INCLUDERC=/home/cyrus/procmail.$USER


Did you check USER for /s and ..s?

...

# If this fails, it tries without the extension
:0w
| $DELIVERMAIL  -a $USER -e -q -m $EXTENSION $USER


What if EXTENSION or USER contains whitespace or a '*'?  What if
EXTENSION is *empty*  (Whoops, you just passed $USER to the -m flag.  I
hope that didn't hurt).

        # Only call deliver with an extension if we were passed a
        # non-empty one
        :0 w
        * EXTENSION ?? .
        | $DELIVERMAIL -a "$USER" -e -q -m "$EXTENSION" -- "$USER"

(Do you really want the -q flag here?  You might as well turn off quotas
if you do.)

# If this fails, it returns error!
:0w
| $DELIVERMAIL  -a $USER -e -q $USER


Likewise:

        :0 w
        | $DELIVERMAIL -a "$USER" -e -q -- "$USER"

Philip Guenther

Current thread:

Nasty hole in postifx/procmail/cyrus John Pettitt (Jun 30)
- Posting vulnerabilities Alfred Huger (Jun 30)
- Re: Nasty hole in postifx/procmail/cyrus Dylan Griffiths (Jul 01)
  - Re: Nasty hole in postifx/procmail/cyrus Philip Guenther (Jul 02)
- Re: Nasty hole in postifx/procmail/cyrus Philip Guenther (Jul 02)
- <Possible follow-ups>
- Re: Nasty hole in postifx/procmail/cyrus Dylan Griffiths (Jul 04)
  - Re: Nasty hole in postifx/procmail/cyrus Philip Guenther (Jul 06)
- Re: Nasty hole in postifx/procmail/cyrus Dylan Griffiths (Jul 04)
- Re: Nasty hole in postifx/procmail/cyrus Dylan Griffiths (Jul 14)