[Secure-testing-team] Bug#741888: postfix: vulnerability, remotely exploitable, spews DSNs

Robert Munyer 4539632595 at munyer.com
Sun Mar 16 23:57:32 UTC 2014 

Package: postfix
Version: 2.9.6-2
Severity: important
Tags: patch security

An unmodified Postfix install can be made to bounce arbitrary
content from an arbitrary internal address to an arbitrary external
address, by an external sender who has no affiliation with the
organization that's running Postfix.

The possibilities for offensive use of this exploit are interesting.
Suppose I want to prevent alice at a.com from receiving an important
message that I think bob at b.com may be about to send to her.  I can
take 5,000 randomly selected articles from my local news spool, and
cause b.com to bounce all of them from bob at b.com to postmaster at a.com.
This will likely cause a.com to block incoming mail from bob at b.com,
or from all of b.com... thus blocking Bob's message to Alice.

Or if I'm a spammer and I just want to cause trouble for b.com, I can
cause b.com to bounce spam to all the addresses in my listwash list.

To replicate this exploit, just add a "Delivered-To:" header with
the same address you're using as the envelope recipient.  Postfix
will detect a mail forwarding loop _after_ accepting the message,
and then bounce it to the envelope sender.  See the discussion at
<http://mid.gmane.org/20040917175924.GA30966@ns2.nordita.dk>.

In my own copy of Postfix, I have blocked this exploit by
intercepting outbound bounces and sending them to the local
postmaster instead.  (A patch is attached.)  If Postfix can't be
fixed to reject instead of bounce when it detects a forwarding loop,
then I think it would be desirable to have everyone's copy of Postfix
behave similarly, possibly switchable by a postconf option for any
site admins who actually want their site to send outbound bounces.



-- System Information:
Debian Release: 7.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages postfix depends on:
ii  adduser                3.113+nmu3
ii  cpio                   2.11+dfsg-0.1
ii  debconf [debconf-2.0]  1.5.49
ii  dpkg                   1.16.12
ii  libc6                  2.13-38+deb7u1
ii  libdb5.1               5.1.29-5
ii  libsasl2-2             2.1.25.dfsg1-6+deb7u1
ii  libsqlite3-0           3.7.13-1+deb7u1
ii  libssl1.0.0            1.0.1e-2+deb7u4
ii  lsb-base               4.1+Debian8+deb7u1
ii  netbase                5.0
ii  ssl-cert               1.0.32

Versions of packages postfix recommends:
ii  python  2.7.3-4+deb7u1

Versions of packages postfix suggests:
ii  bsd-mailx [mail-reader]  8.1.2-0.20111106cvs-1
pn  dovecot-common           <none>
ii  emacs23 [mail-reader]    23.4+1-4
ii  libsasl2-modules         2.1.25.dfsg1-6+deb7u1
ii  mutt [mail-reader]       1.5.21-6.2+deb7u2
pn  postfix-cdb              <none>
pn  postfix-doc              <none>
pn  postfix-ldap             <none>
pn  postfix-mysql            <none>
pn  postfix-pcre             <none>
pn  postfix-pgsql            <none>
ii  procmail                 3.22-20
pn  resolvconf               <none>
pn  sasl2-bin                <none>
pn  ufw                      <none>

-- debconf information excluded

More information about the Secure-testing-team mailing list