Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 23 Apr 2020 15:10:55 +0300
From: PromiseLabs Pentest Research <pentest@...miselabs.net>
To: oss-security@...ts.openwall.com
Subject: spoofing of local email sender via a homoglyph attack

Hi,

The provided versions seem to be wrong on this request, sorry for this.

The exact version is from the postfix-2.10.1-7.el7.x86_64 package, thus
the version stated in the CVE should be 2.10.1.

---
PLPR:
Plamen Dimitrov
Penetration Tester, CEH & OSCP certified

Promise Solutions LTD
Penetration Testing and Managed Security services

https://www.promisedev.com
https://www.promiselabs.net
+359 883 22 05 12

On 2020-04-22 18:20, cve-request@...re.org wrote: 

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> The CVE ID is below. As far as we know, 3.3.0-1 is not a commonly
> used version. Please see the "[Reference]" section below.
> 
>> [Suggested description]
>> A certain Postfix 3.3.0-1 package could allow an attacker to send
>> an email from an arbitrary-looking sender via a homoglyph attack,
>> as demonstrated by the similarity of \xce\xbf to the 'o' character.
>> 
>> ------------------------------------------
>> 
>> [Additional Information]
>> Postfix allows an email from unsanitized input, pretending to be from
>> an existing user on the mail system, which may look exactly the same.
>> For example, it is possible sending an email using the hex character
>> \xce\ xbf, which looks exactly like the letter 'o'. In case the user
>> john.doe exists on the mail server, postfix would not allow to send an
>> email from this email account unless an unauthorized attempt is made.
>> However, in case we substitute the letter 'o' with the hex character
>> \xce\xbf, it will look exactly like it's being sent from john.doe,
>> although john.doe (j<\xce\xbf)hn.doe) is actually different from
>> the other.
>> 
>> ------------------------------------------
>> 
>> [Vulnerability Type]
>> Incorrect Access Control
>> 
>> ------------------------------------------
>> 
>> [Vendor of Product]
>> postfix
>> 
>> ------------------------------------------
>> 
>> [Affected Product Code Base]
>> postfix 3.3.0-1 - 3.3.0-1
>> 
>> ------------------------------------------
>> 
>> [Affected Component]
>> postfix mail server
>> 
>> ------------------------------------------
>> 
>> [Attack Type]
>> Remote
>> 
>> ------------------------------------------
>> 
>> [Discoverer]
>> d7x, Promise Solutions LTD / www.promiselabs.net [1]
>> 
>> ------------------------------------------
>> 
>> [Reference]
>> https://www.promiselabs.net
>> https://repology.org/project/postfix/versions
>> http://www.postfix.org/announcements.html
> 
> Use CVE-2020-12063.
> 
> - --
> CVE Assignment Team
> M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
> [ A PGP key is available for encrypted communications at
> http://cve.mitre.org/cve/request_id.html ]
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> 
> iQIcBAEBCAAGBQJeoGCRAAoJEPNX0OmQPkAIyDAQAI56GXHXS1AJQVx2nBBJosam
> 6d/mtkM+LozhzpBVydzed58z8P/Q/qGWXzdT0mmIvq+X2WQp7pvCrUH7l9wkniH+
> 0FD0c+LO2T/oU7a6sqZ7EHC0V3GPKu/F1W+reNB9V0v8LyAfHLE50AdvHZZjGIHc
> lUvw/hqt+7NqpR2HFyjyA3sb1K8ZiqBcmxwV9ecECUx/smXFpjtdV9hTz7A9mgj8
> ggkSjrkMQBsYqiU2OvPEfn4aKskavqTYLqVMxztieICoDPvNAGj+lnZIz4o6WIig
> d2lqtZ+/8fPVUaYGCikacMNAE4BGs61BQT7tuYdbMt8+wWnB+IU84hBC7Lb7OE8L
> 7O59MmmIF/C/jaaSmwy+FlSk+ZE95Q+SV7CHoYMLeongByo5drvqVuK79t5KVGDO
> L6m85ta3Jh/zzQ6srg6REgPuM1Q2cFwu7FmWg4vAEamCwHnjv6D6xRBRO4lBm9V1
> Upek80hF+BI/JwvKlpng1pzKrClqvzGdeZA4kw5MLoiEN19cf2W85nO0L+cpoLbQ
> ixz/TarYDG9QQ89U3aJcrLDMH6hGsPKmTvD8dy5sVh+J3qK/zvj/eR98xy5jbKAn
> pt57X5qFkfu+Sf9yrC3RFBiNTJ/UB4vb0/25g8M4e+vUMb/kkNxbVVNoAg56Wl1M
> NLgC/CCd32QpiUFehvF2
> =T4/w
> -----END PGP SIGNATURE-----
 

Links:
------
[1] http://www.promiselabs.net

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.