Am Donnerstag, den 25.09.2014, 22:16 +0200 schrieb Ángel González:
> Any program which allows untrusted variable contents into the
> environment and can be made to spawn a bash descendant is "affected".
The question is how an attacker can convince Courier to set environment
variables to malicious contents.
So far, I have found the variables listed in the dot-courier manpage
under “ENVIRONMENT VARIABLES” as variables that could be set from the
outside. However as I understand, such a variable must be set to
something that begins with “() {” to exploit the bash bug. I wonder
whether this is possible at all, or whether Courier does sanity checking
on things like the envelope return address.
Sam Varshavchik wrote that exploits should only be possible via
*-default files. I currently do not understand why this is the case. The
special thing about *-default files with regard to environment variables
seems to be that the DEFAULT variable is set to a part of the recipient
e-mail address. But also here I wonder whether this allows for an
exploit. I suppose one would have to send e-mail to an address like
<user-() {someting;}na...@example.com>, but I cannot see how this should
be possible.
I would be happy about any clarification why *-default files are
affected by this bug, and why other parts of Courier are not.
Furthermore, I wonder whether successful exploits can always be detected
via the logs. Is it, for example, enough to just check for the string
“() {” in the mail log file?
> CVE-2014-6271 and CVE-2014-7169 are the same in this respect, so the new
> vulnerability doesn't change the affected status (although the later is
> harder to exploit doing something useful, while with 6271 it was
> straightforward).
What exactly does CVE-2014-7169 allow for? And if it is harder to
exploit in general, is it even exploitable at all via Courier?
Unfortunately, I have not yet found anything detailed on CVE-2014-7169
on the web.
All the best,
Wolfgang
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
