Hello,
I noticed something weird in the maillogs today:
---
Feb 9 12:14:52 Server-Name courierd:
started,id=00059375.40208664.00003952,from=<Jbanes|[EMAIL
PROTECTED]>,module=local,[EMAIL
PROTECTED]/path/to/user/home!/paht/to/user/home/Maildir!,addr=<[EMAIL PROTECTED]>
Feb 9 12:14:52 Server-Name courierd: Waiting. shutdown time=none, wakeup
time=Mon Feb 9 13:58:59 2004, queuedelivering=2, inprogress=1
Feb 9 12:14:53 Server-Name amavis[16385]: starting. amavis perl-11 Thu
Mar 6 16:18:46 CET 2003
Feb 9 12:14:53 Server-Name amavis[16385]: Missing arguments to postfix
Feb 9 12:14:53 Server-Name amavis[16385]: do_exit:279 - ending execution
with 75
Feb 9 12:14:53 Server-Name courierlocal:
id=00059375.40208664.00003952,from=<Jbanes|[EMAIL PROTECTED]>,addr=<[EMAIL PROTECTED]>:
sh: [EMAIL PROTECTED]: command not found
Feb 9 12:14:53 Server-Name courierlocal:
id=00059375.40208664.00003952,from=<Jbanes|[EMAIL PROTECTED]>,addr=<[EMAIL PROTECTED]>:
maildrop: Unable to filter message.
Feb 9 12:14:53 Server-Name courierlocal:
id=00059375.40208664.00003952,from=<Jbanes|[EMAIL PROTECTED]>,addr=<[EMAIL
PROTECTED]>,status:
deferred
Feb 9 12:14:53 Server-Name courierd: completed,id=00059375.40208664.00003952
Feb 9 12:14:53 Server-Name courierd: Waiting. shutdown time=Mon Feb 9
12:19:53 2004, wakeup time=Mon Feb 9 12:19:53 2004, queuedelivering=2,
inprogress=0
---
This lines in my maildroprc which cause this to happen are:
---
import SENDER
import RECIPIENT
import HOME
if ($SENDER ne "")
{
FROM=$SENDER
}
else
{
FROM="[EMAIL PROTECTED]"
}
if ($RECIPIENT ne "")
{
TO=$RECIPIENT
}
else
{
TO="[EMAIL PROTECTED]"
}
xfilter "/opt/amavis/sbin/amavis $FROM $TO"
---
The message itself is probably just a piece of spam, but the following is
remarkable:
1. Courier accepts the email address containing an | sign in the From field.
2. Courier tries to pass it to the anti-virus check script (as specified
in maildroprc).
3. Bash interprets this as a pipe and is thus executing a commmand
specified in the 'From' field.
I can very well imagine this could lead to a dangerous exploit if it were
specially crafted for this purpose. Besides, I believe the RFC's do not
allow the | sign in e-mail addresses... So why is courier allowing this?
I am currently working on a solution to prevent this from happening by
adding some extra lines to maildroprc, that should fix the problem for
now.
This of course wouldn't have happened if I hadn't left such a large hole
in my maildroprc, although I just followed the amavis documentation.
But I am still very curious to know why courier decides to allow this..
Ideas, anyone?
Yours sincerely,
AVG Bedrijven Heijen BV
D. van der Haghen
Network Administrator
E: [EMAIL PROTECTED]
T: 0031485-551235
F: 0031485-514805
Disclaimer
**********************************************************************
Aan dit bericht kunnen geen rechten worden ontleend.
Dit bericht is uitsluitend bestemd voor de geadresseerde.
Als u dit bericht per abuis hebt ontvangen, wordt u verzocht het te
vernietigen en de afzender te informeren.
Wij adviseren u om bij twijfel over de juistheid of de volledigheid
van de mail contact met de afzender op te nemen.
**********************************************************************
-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
courier-users mailing list
[EMAIL PROTECTED]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
