Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <54907334.2080400@redhat.com>
Date: Tue, 16 Dec 2014 19:00:20 +0100
From: Florian Weimer <fweimer@...hat.com>
To: oss-security@...ts.openwall.com
Subject: mailx issues (CVE-2004-2771, CVE-2014-7844)

It turns out that various versions of mailx have shell command injection 
via crafted email addresses.  These issues are different from the 
POSIX-mandated shell escape in email bodies (“~!”), which most 
implementations switch off when the input is not a terminal.

There are two main branches of mailx these days, Heirloom mailx and BSD 
mailx.

Heirloom mailx appears defunct upstream.

For BSD mailx, OpenBSD seems the canonical source these days.  I 
discussed these issues with Todd Miller, who kindly provided patches for 
their version.

*** Heirloom mailx ***

For Heirloom mailx, the numbered patches address the following issues:

0001. Do not recognize paths, mail folders, and pipes in mail addresses 
by default.  That avoids a direct command injection with syntactically 
valid email addresses starting with “|”.

Such addresses can be specified both on the command line, the mail 
headers (with “-t”) or in address lines copied over from previous mail 
while replying.

This was assigned CVE-2014-7844 for some versions of BSD mailx.  It is 
documented behavior for Heirloom mailx, and was mentioned in an old 
technical report about BSD mailx (which does not usually make its way 
into operating system installations).  The patch switches off this 
processing and updates the documentation.

0002. When invoking sendmail, prevent option processing for email 
address arguments.  This prevents changing e.g. the Postfix 
configuration file in unexpected ways.  This behavior was documented for 
BSD mailx (sort of), but not for Heirloom mailx.  We did not assign a 
CVE to this because it is more of a missing feature, and code invoking 
mailx needs adjustment in the caller as well.

0003. Make wordexp support mandatory.  (No functional change.)

0004. Prevent command execution in the expand function, which is IMHO 
unexpected.  (Not really required with patch 1, and there is still 
information disclosure/DoS potential if this expansion occurs.)  This is 
a historic vulnerability already fixed in the Debian package, 
retroactively assigned CVE-2004-2771:

    <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278748>

(The Heirloom patch is slightly different because of the existing use of 
wordexp.)

*** BSD mailx ***

The unnumbered patches are for BSD mailx.  Their order is: remove_T, 
minus_f, mail_glob, expandaddr, nosendmail.  remove_T and minus_f have 
already been committed.  The remaining three roughly correspond to my 
patches 0003+0004, 0001, and 0002.

The previous BSD mailx code seems to have an implicit dependency of a 
non-option-reordering getopt.  (BSD getopt does not recognize options 
after non-option arguments, GNU getopt does.)  I think the minus_f patch 
only improves matters in this regard.

*** Fixing applications ***

Applications calling mailx with untrusted addresses which can start with 
“-” still need updating to use “--”.  This is sadly not compatible with 
older mailx versions lacking the equivalent of patch 0002.  However, 
directly calling “/usr/sbin/sendmail -i -t” with a self-constructed 
email header will work on almost all systems.

Option processing is risky for two reasons: Some of the options are 
plainly harmful (e.g., “-Sexpandaddr=@...mple.com”).  Others can be used 
to mask email addresses, which means that mailx enters read mode, where 
you can run shells using the “!” escape (which is especially problematic 
if mailx is used to send mail with partially attacker-controlled content).

For Heirloom mailx, I tried to work around this, but both Sebastian 
Krahmer and Todd Miller helpfully pointed out that I missed some 
options, and that the whole approach is unlikely to work, ever.

-- 
Florian Weimer / Red Hat Product Security


View attachment "0001-outof-Introduce-expandaddr-flag.patch" of type "text/x-patch" (1710 bytes)

View attachment "0002-unpack-Disable-option-processing-for-email-addresses.patch" of type "text/x-patch" (2208 bytes)

View attachment "0003-fio.c-Unconditionally-require-wordexp-support.patch" of type "text/x-patch" (2510 bytes)

View attachment "0004-globname-Invoke-wordexp-with-WRDE_NOCMD-CVE-2004-277.patch" of type "text/x-patch" (654 bytes)

View attachment "remove_T" of type "text/plain" (3725 bytes)

View attachment "minus_f" of type "text/plain" (2544 bytes)

View attachment "mail_glob" of type "text/plain" (2692 bytes)

View attachment "expandaddr" of type "text/plain" (2136 bytes)

View attachment "nosendmail" of type "text/plain" (1360 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.