Date: Tue, 16 Dec 2014 19:00:20 +0100 From: Florian Weimer <fweimer@...hat.com> To: oss-security@...ts.openwall.com Subject: mailx issues (CVE-2004-2771, CVE-2014-7844) It turns out that various versions of mailx have shell command injection via crafted email addresses. These issues are different from the POSIX-mandated shell escape in email bodies (“~!”), which most implementations switch off when the input is not a terminal. There are two main branches of mailx these days, Heirloom mailx and BSD mailx. Heirloom mailx appears defunct upstream. For BSD mailx, OpenBSD seems the canonical source these days. I discussed these issues with Todd Miller, who kindly provided patches for their version. *** Heirloom mailx *** For Heirloom mailx, the numbered patches address the following issues: 0001. Do not recognize paths, mail folders, and pipes in mail addresses by default. That avoids a direct command injection with syntactically valid email addresses starting with “|”. Such addresses can be specified both on the command line, the mail headers (with “-t”) or in address lines copied over from previous mail while replying. This was assigned CVE-2014-7844 for some versions of BSD mailx. It is documented behavior for Heirloom mailx, and was mentioned in an old technical report about BSD mailx (which does not usually make its way into operating system installations). The patch switches off this processing and updates the documentation. 0002. When invoking sendmail, prevent option processing for email address arguments. This prevents changing e.g. the Postfix configuration file in unexpected ways. This behavior was documented for BSD mailx (sort of), but not for Heirloom mailx. We did not assign a CVE to this because it is more of a missing feature, and code invoking mailx needs adjustment in the caller as well. 0003. Make wordexp support mandatory. (No functional change.) 0004. Prevent command execution in the expand function, which is IMHO unexpected. (Not really required with patch 1, and there is still information disclosure/DoS potential if this expansion occurs.) This is a historic vulnerability already fixed in the Debian package, retroactively assigned CVE-2004-2771: <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278748> (The Heirloom patch is slightly different because of the existing use of wordexp.) *** BSD mailx *** The unnumbered patches are for BSD mailx. Their order is: remove_T, minus_f, mail_glob, expandaddr, nosendmail. remove_T and minus_f have already been committed. The remaining three roughly correspond to my patches 0003+0004, 0001, and 0002. The previous BSD mailx code seems to have an implicit dependency of a non-option-reordering getopt. (BSD getopt does not recognize options after non-option arguments, GNU getopt does.) I think the minus_f patch only improves matters in this regard. *** Fixing applications *** Applications calling mailx with untrusted addresses which can start with “-” still need updating to use “--”. This is sadly not compatible with older mailx versions lacking the equivalent of patch 0002. However, directly calling “/usr/sbin/sendmail -i -t” with a self-constructed email header will work on almost all systems. Option processing is risky for two reasons: Some of the options are plainly harmful (e.g., “-Sexpandaddr=@...mple.com”). Others can be used to mask email addresses, which means that mailx enters read mode, where you can run shells using the “!” escape (which is especially problematic if mailx is used to send mail with partially attacker-controlled content). For Heirloom mailx, I tried to work around this, but both Sebastian Krahmer and Todd Miller helpfully pointed out that I missed some options, and that the whole approach is unlikely to work, ever. -- Florian Weimer / Red Hat Product Security View attachment "0001-outof-Introduce-expandaddr-flag.patch" of type "text/x-patch" (1710 bytes) View attachment "0002-unpack-Disable-option-processing-for-email-addresses.patch" of type "text/x-patch" (2208 bytes) View attachment "0003-fio.c-Unconditionally-require-wordexp-support.patch" of type "text/x-patch" (2510 bytes) View attachment "0004-globname-Invoke-wordexp-with-WRDE_NOCMD-CVE-2004-277.patch" of type "text/x-patch" (654 bytes) View attachment "remove_T" of type "text/plain" (3725 bytes) View attachment "minus_f" of type "text/plain" (2544 bytes) View attachment "mail_glob" of type "text/plain" (2692 bytes) View attachment "expandaddr" of type "text/plain" (2136 bytes) View attachment "nosendmail" of type "text/plain" (1360 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.