Masu binciken tsaro daga Qualys damar rashin ƙarfi a cikin sabar saƙon qmail, baya a cikin 2005 (CVE-2005-1513), amma ya kasance ba a buɗe ba saboda marubucin qmail ya yi jayayya cewa ba gaskiya ba ne don ƙirƙirar amfani mai aiki wanda za a iya amfani da shi don kai hari ga tsarin a cikin tsoho tsari. Qualys ya sami damar shirya wani amfani wanda ya karyata wannan zato kuma ya ba mutum damar fara aiwatar da aiwatar da lambar nesa akan sabar ta hanyar aika saƙon da aka kera na musamman.
Matsalar tana faruwa ne ta hanyar ambaliya mai lamba a cikin aikin stralloc_readyplus(), wanda zai iya faruwa yayin sarrafa babban saƙo. Aiki yana buƙatar tsarin 64-bit tare da fiye da 4GB na ƙwaƙwalwar ajiya. Lokacin da aka fara nazarin raunin da ya faru a cikin 2005, Daniel J. Bernstein ya yi jayayya cewa zato a cikin lambar cewa girman girman da aka keɓe yana cikin ƙimar 32-bit ya dogara ne akan gaskiyar cewa babu wanda ke ba da gigabytes na ƙwaƙwalwar ajiya ga kowane tsari. A cikin shekaru 15 da suka gabata, tsarin 64-bit akan sabobin sun maye gurbin tsarin 32-bit, kuma adadin ƙwaƙwalwar da aka kawo da bandwidth na cibiyar sadarwa ya karu sosai.
Masu kula da kunshin qmail sun yi la'akari da bayanin Bernstein kuma sun iyakance adadin ƙwaƙwalwar ajiya lokacin fara aikin qmail-smtpd (misali, a cikin Debian 10 an saita iyaka zuwa 7MB). Amma injiniyoyi daga Qualys sun gano cewa wannan bai isa ba kuma, ban da qmail-smtpd, ana iya kai hari mai nisa akan tsarin qmail-local, wanda ya kasance ba tare da iyakancewa ba a cikin duk fakitin da aka gwada. A matsayin hujja, an shirya samfurin amfani wanda ya dace da kai hari kan kunshin Debian tare da qmail a cikin tsarin da aka saba.
Don tsara aiwatar da aiwatar da lambar nesa yayin harin, uwar garken yana buƙatar 4GB na sarari diski kyauta da 8GB na RAM.
Amfanin yana ba ku damar gudanar da kowane umarni harsashi tare da haƙƙin kowane mai amfani a cikin tsarin, ban da tushen da masu amfani da tsarin waɗanda ba su da nasu kundin adireshi a cikin kundin “/ gida” (an ƙaddamar da tsarin qmail-local tare da haƙƙin mallaka. na mai amfani na gida wanda ake bayarwa).
An kai harin
ta hanyar aika saƙon saƙo mai girman gaske, gami da layukan kai da yawa, masu auna kusan 4GB da 576MB. Sarrafa irin wannan kirtani a cikin qmail-local yana haifar da cikar lambatu yayin ƙoƙarin isar da saƙo ga mai amfani na gida. Matsakaicin adadin lamba sannan yana haifar da ambaliya lokacin yin kwafin bayanai da yuwuwar sake rubuta shafukan ƙwaƙwalwar ajiya tare da lambar libc. Ta hanyar sarrafa shimfidar bayanan da aka watsa, Hakanan yana yiwuwa a sake rubuta adireshin aikin "buɗe ()", maye gurbin shi da adireshin aikin "tsarin ()".
Bayan haka, a cikin aiwatar da kiran qmesearch () a cikin qmail-local, ana buɗe fayil ɗin “.qmail-extension” ta hanyar buɗe () aikin, wanda ke kaiwa ga ainihin aiwatar da aikin.
tsarin ("qmail-extension"). Amma tunda an samar da ɓangaren “tsawo” na fayil ɗin bisa adireshin mai karɓa (misali, “localuser-extension@localdomain”), maharan za su iya shirya umarnin da za a aika ta hanyar tantance mai amfani da “localuser-; order ;@localdomain” a matsayin mai karɓar saƙon.
Yayin binciken lambar, an kuma gano lahani guda biyu a cikin ƙarin facin-tabbatar da qmail, wanda ke cikin kunshin na Debian. Lalacewar farko () yana ba ku damar ketare tabbatar da adireshin imel, kuma na biyu () yana haifar da zubar da bayanan gida. Musamman, rashin lafiyar farko yana ba ku damar ƙetare tabbatar da daidaiton adireshin da aka yi amfani da shi a cikin amfani don aika umarni (tabbacin ba ya aiki don adiresoshin ba tare da yanki ba, kamar "localuser-; umarni;"). Ana iya amfani da rashin lahani na biyu don bincika kasancewar fayiloli da kundayen adireshi akan tsarin, gami da waɗanda ake samun dama ga tushen kawai (qmail-verify yana gudana tare da tushen haƙƙin tushen), ta hanyar kira kai tsaye zuwa mai kula da gida.
Don magance matsalar, Bernstein ya ba da shawarar gudanar da ayyukan qmail tare da iyakacin iyaka akan ƙwaƙwalwar ajiyar da ke akwai ("softlimit -m12345678"), inda matsalar ke toshe. A matsayin madadin hanyar kariya, iyakance iyakar girman saƙon da aka sarrafa ta hanyar fayil ɗin "control/databytes" kuma an ambaci shi (ba a ƙirƙira shi tare da saitunan tsoho qmail ya kasance mai rauni). Bugu da ƙari, "control/databytes" baya karewa daga hare-haren gida daga masu amfani da tsarin, tun da qmail-smtpd kawai ake la'akari da iyaka.
Matsalar tana shafar kunshin , wanda aka haɗa a cikin ma'ajin Debian. An shirya saitin faci don wannan fakitin, yana kawar da tsoffin lahani daga 2005 (ta hanyar ƙara iyakar ƙwaƙwalwar ajiya zuwa lambar aikin alloc()) da sabbin matsaloli a cikin qmail-tabbatar da. Na dabam sabunta sigar qmail-verify patch. Masu haɓakawa sun shirya nasu faci don toshe tsofaffin matsalolin, sannan kuma sun fara aiki don kawar da duk yuwuwar ambaliya lamba a cikin lambar.
source: budenet.ru