[Exim] Potential security problem

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Philip Hazel
Datum:  
To: exim-users, exim-announce
Betreff: [Exim] Potential security problem
Important. Please read.

Amongst other things, Exim 3.34 and Exim 3.952 (alpha for Exim 4), which I have
just put onto the primary ftp site, contain a fix for a potential security
problem. Please check whether this could affect you, and if so, either upgrade
to the new release, or apply one of the patches below.

The problem exists only in the case of a run time configuration which directs
or routes an address to a pipe transport without checking the local part of the
address in any way. This does not apply, for example, to pipes run from alias
or forward files, because the local part is checked to ensure that it is the
name of an alias or of a local user.

One kind of configuration where this may apply is one where all incoming mail
is sent straight to a virus checker by means of a pipe, without inspecting the
local parts of addresses. However, if receiver_verify is turned on, and the
director/router that is used for the pipe has no_verify set, there may not be
an exposure, because the local parts are probably checked by the verification
process even though they are not checked at delivery time before being sent to
the pipe.

The bug is provoked by routing/directing an address whose local part begins
with a pipe symbol (vertical bar) to a pipe transport. That is why any
configuration in which local parts are first checked in some way is not
normally vulnerable (a local part starting with a pipe symbol is normally
invalid). The Exim 4 default configuration blocks local parts that contain any
of the characters @%!/| at SMTP time, as it happens.

The bug's effect is that, instead of obeying the correct pipe command, a broken
Exim runs the command encoded in the local part.

If you do not want to upgrade to Exim 3.34, here are two patches for earlier
versions. The fix is very simple. The bug was a bit of idiotic stupidity on my
part. Apologies for the inconvenience. My thanks to Patrice Fournier for
discovering and reporting this problem, and keeping on at me when at first I
did not believe him.

----------------------------------------------------------------------------
This patch is for version 3.33. It should also work on all previous versions
back to 3.20.

*** exim-3.33/src/transports/pipe.c Wed Aug 15 12:09:13 2001
--- transports/pipe.c    Thu Dec 13 10:25:21 2001
***************
*** 487,493 ****
  pointed to by addr->local_part; it starts with the pipe symbol. In other cases,
  the command is supplied as one of the pipe transport's options. */


! if (addr->local_part[0] == '|')
    {
    cmd = addr->local_part + 1;
    while (isspace((uschar)*cmd)) cmd++;
--- 487,493 ----
  pointed to by addr->local_part; it starts with the pipe symbol. In other cases,
  the command is supplied as one of the pipe transport's options. */


! if (testflag(addr,af_pfr) && addr->local_part[0] == '|')
    {
    cmd = addr->local_part + 1;
    while (isspace((uschar)*cmd)) cmd++;
----------------------------------------------------------------------------



----------------------------------------------------------------------------
This patch is for versions before 3.20. It should work at least as far back as
release 3.12 (which was release on December 8, 1999). It may work on earlier
releases - if not, it is such a simple patch that you should be able to figure
out what to change by hand.

*** src/transports/pipe.c Wed Aug 15 12:09:13 2001
--- transports/pipe.c    Thu Dec 13 10:25:21 2001
***************
*** 487,493 ****
  pointed to by addr->local_part; it starts with the pipe symbol. In other cases,
  the command is supplied as one of the pipe transport's options. */


! if (addr->local_part[0] == '|')
    {
    cmd = addr->local_part + 1;
    while (isspace((uschar)*cmd)) cmd++;
--- 487,493 ----
  pointed to by addr->local_part; it starts with the pipe symbol. In other cases,
  the command is supplied as one of the pipe transport's options. */


! if (addr->pfr && addr->local_part[0] == '|')
    {
    cmd = addr->local_part + 1;
    while (isspace((uschar)*cmd)) cmd++;
----------------------------------------------------------------------------



--
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.