Bug#741888: postfix: vulnerability, remotely exploitable, spews DSNs

2019-02-21 Thread Robert Munyer 
Control: found -1 3.1.9-0+deb9u2

Scott Kitterman wrote:

> I agree this is a problem.  A design change like this should not be
> implemented at the distro level, so it's not a patch I would consider
> for Debian.  It should be discussed with the upstream developers.

Does upstream have a BTS?  I remember looking for an upstream BTS
when I filed this, and not finding one.  I did find a mailing list,
but it already had multiple reports about this vulnerability.

What I did to my own copy of Postfix (and shared with others, via
this bug report) was not a design change, but a surgical removal of
Postfix's ability to send "bounce" messages to strangers.

It's true that a design change would be better, but one doesn't want
to wait that long.  This exploit had been made public almost 10 years
before I first encountered it (in Petter Urkedal's 2004-09-17 message,
linked in my bug report) and the version of Postfix that's in Debian
Stable today is still vulnerable to this 14.4-year-old exploit!

I (and probably many others) want an MTA that just doesn't ever send
"bounce" messages to strangers.

Bug#741888: postfix: vulnerability, remotely exploitable, spews DSNs

2019-02-21 Thread Scott Kitterman 
On Thursday, February 21, 2019 05:35:26 PM Robert Munyer wrote:
> Control: found -1 3.1.9-0+deb9u2
> 
> Scott Kitterman wrote:
> > I agree this is a problem.  A design change like this should not be
> > implemented at the distro level, so it's not a patch I would consider
> > for Debian.  It should be discussed with the upstream developers.
> 
> Does upstream have a BTS?  I remember looking for an upstream BTS
> when I filed this, and not finding one.  I did find a mailing list,
> but it already had multiple reports about this vulnerability.
> 
> What I did to my own copy of Postfix (and shared with others, via
> this bug report) was not a design change, but a surgical removal of
> Postfix's ability to send "bounce" messages to strangers.
> 
> It's true that a design change would be better, but one doesn't want
> to wait that long.  This exploit had been made public almost 10 years
> before I first encountered it (in Petter Urkedal's 2004-09-17 message,
> linked in my bug report) and the version of Postfix that's in Debian
> Stable today is still vulnerable to this 14.4-year-old exploit!
> 
> I (and probably many others) want an MTA that just doesn't ever send
> "bounce" messages to strangers.

No, they still don't.

I intend to bring it up again with them once postfix 3.4.0 is out (there's no 
way they'd pay attention now).

Scott K

Bug#741888: postfix: vulnerability, remotely exploitable, spews DSNs

2014-03-16 Thread Robert Munyer 
Package: postfix
Version: 2.9.6-2
Severity: important
Tags: patch security

An unmodified Postfix install can be made to bounce arbitrary
content from an arbitrary internal address to an arbitrary external
address, by an external sender who has no affiliation with the
organization that's running Postfix.

The possibilities for offensive use of this exploit are interesting.
Suppose I want to prevent al...@a.com from receiving an important
message that I think b...@b.com may be about to send to her.  I can
take 5,000 randomly selected articles from my local news spool, and
cause b.com to bounce all of them from b...@b.com to postmas...@a.com.
This will likely cause a.com to block incoming mail from b...@b.com,
or from all of b.com... thus blocking Bob's message to Alice.

Or if I'm a spammer and I just want to cause trouble for b.com, I can
cause b.com to bounce spam to all the addresses in my listwash list.

To replicate this exploit, just add a "Delivered-To:" header with
the same address you're using as the envelope recipient.  Postfix
will detect a mail forwarding loop _after_ accepting the message,
and then bounce it to the envelope sender.  See the discussion at
.

In my own copy of Postfix, I have blocked this exploit by
intercepting outbound bounces and sending them to the local
postmaster instead.  (A patch is attached.)  If Postfix can't be
fixed to reject instead of bounce when it detects a forwarding loop,
then I think it would be desirable to have everyone's copy of Postfix
behave similarly, possibly switchable by a postconf option for any
site admins who actually want their site to send outbound bounces.



-- System Information:
Debian Release: 7.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages postfix depends on:
ii  adduser3.113+nmu3
ii  cpio   2.11+dfsg-0.1
ii  debconf [debconf-2.0]  1.5.49
ii  dpkg   1.16.12
ii  libc6  2.13-38+deb7u1
ii  libdb5.1   5.1.29-5
ii  libsasl2-2 2.1.25.dfsg1-6+deb7u1
ii  libsqlite3-0   3.7.13-1+deb7u1
ii  libssl1.0.01.0.1e-2+deb7u4
ii  lsb-base   4.1+Debian8+deb7u1
ii  netbase5.0
ii  ssl-cert   1.0.32

Versions of packages postfix recommends:
ii  python  2.7.3-4+deb7u1

Versions of packages postfix suggests:
ii  bsd-mailx [mail-reader]  8.1.2-0.2006cvs-1
pn  dovecot-common   
ii  emacs23 [mail-reader]23.4+1-4
ii  libsasl2-modules 2.1.25.dfsg1-6+deb7u1
ii  mutt [mail-reader]   1.5.21-6.2+deb7u2
pn  postfix-cdb  
pn  postfix-doc  
pn  postfix-ldap 
pn  postfix-mysql
pn  postfix-pcre 
pn  postfix-pgsql
ii  procmail 3.22-20
pn  resolvconf   
pn  sasl2-bin
pn  ufw  

-- debconf information excluded


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#741888: postfix: vulnerability, remotely exploitable, spews DSNs

2014-03-16 Thread Robert Munyer 
diff -ur old/postfix-2.9.6/src/global/post_mail.c new/postfix-2.9.6/src/global/post_mail.c
--- old/postfix-2.9.6/src/global/post_mail.c	2007-02-12 15:34:48.0 -0500
+++ new/postfix-2.9.6/src/global/post_mail.c	2014-03-08 07:31:00.0 -0500
@@ -165,6 +165,10 @@
 #include 
 #include 
 
+/* Client stubs. */
+
+#include 
+
  /*
   * Call-back state for asynchronous connection requests.
   */
@@ -207,6 +211,23 @@
 	msg_fatal("unable to contact the %s service", var_cleanup_service);
 
 /*
+ * If trying to send to a domain which "should be limited to
+ * authorized senders only", this is probably an attempt to do
+ * "accept-then-bounce".  Send to the local postmaster instead.
+ */
+if (filter_class & INT_FILT_MASK_BOUNCE) {
+RESOLVE_REPLY reply;
+resolve_clnt_init(&reply);
+resolve_clnt_query(recipient, &reply);
+if (reply.flags & RESOLVE_CLASS_DEFAULT) {
+msg_warn("%s: blocking outbound message; diverting to postmaster",
+ vstring_str(id));
+recipient = "postmaster";
+}
+resolve_clnt_free(&reply);
+}
+
+/*
  * Generate a minimal envelope section. The cleanup service will add a
  * size record.
  */


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org