A cikin sabar saƙon da aikin OpenBSD ya haɓaka gano (CVE-2020-7247), wanda ke ba ku damar aiwatar da umarnin harsashi a kan sabar tare da tushen haƙƙin mai amfani. An gano raunin da ya faru yayin sake binciken da Qualys Security (binciken OpenSMTPD da ya gabata ya yi). a cikin 2015, kuma sabon raunin ya kasance tun Mayu 2018). Matsala a cikin OpenSMTPD 6.6.2 saki. Ana ba da shawarar duk masu amfani don shigar da sabuntawa nan da nan (don OpenBSD, ana iya shigar da facin ta hanyar syspatch).
Ana ba da shawarar zaɓuɓɓuka biyu na harin. Zaɓin farko yana aiki a cikin tsoho na OpenSMTPD (karɓar buƙatun kawai daga localhost) kuma yana ba ku damar yin amfani da matsalar a cikin gida, lokacin da maharin ya sami damar shiga cibiyar sadarwar gida (loopback) akan uwar garken (misali, akan tsarin talla) . Zaɓin na biyu yana faruwa lokacin da aka saita OpenSMTPD don karɓar buƙatun hanyar sadarwar waje (sabar saƙon da ke karɓar saƙon ɓangare na uku). Masu bincike sun shirya wani samfuri na cin zarafi wanda ke aiki cikin nasara tare da sigar OpenSMTPD da aka haɗa a cikin OpenBSD 6.6 da kuma sigar šaukuwa don sauran tsarin aiki (wanda aka gudanar a cikin Gwajin Debian).
Matsalar tana faruwa ne ta hanyar kuskure a cikin aikin smtp_mailaddr (), wanda ake kira don bincika daidaiton dabi'u a cikin filayen "MAIL FROM" da "RCPT TO" waɗanda ke ayyana mai aikawa / mai karɓa kuma an wuce su yayin haɗin. tare da uwar garken mail. Don duba sashin adireshin imel ɗin da ke zuwa gaban alamar "@", ana kiran aikin smtp_mailaddr()
valid_localpart(), wanda ke karɓar (MAILADDR_ALLOWED) haruffan "!#$%&'*/?^`{|}~+-=_", kamar yadda RFC 5322 ya buƙata.
A wannan yanayin, ana yin tseren kai tsaye na kirtani a aikin mda_expand_token(), wanda ke maye gurbin haruffan “!#$%&'*?`{|}~” (MAILADDR_ESCAPE). Daga baya, ana amfani da layin da aka shirya a cikin mda_expand_token() lokacin kiran wakilin bayarwa (MDA) ta amfani da umarnin 'execle("/bin/sh", "/bin/sh","-c",mda_command,...' Idan ana sanya haruffa zuwa mbox ta /bin/sh, an ƙaddamar da layin "/usr/libexec/mail.local -f %%{mbox.from} %%{user.username}", inda darajar "% {mbox.from}" ya ƙunshi bayanan da aka tsere daga ma'aunin "MAIL FROM".
Mahimmancin raunin shine smtp_mailaddr() yana da kuskuren ma'ana, saboda wanda, idan an aika wani yanki mara kyau zuwa imel, aikin yana dawo da lambar tabbatarwa mai nasara, koda kuwa sashin adireshin kafin "@" ya ƙunshi haruffa marasa inganci. . Bugu da ari, lokacin shirya kirtani, aikin mda_expand_token() baya tserewa duk wasu haruffa na musamman na harsashi, amma kawai haruffa na musamman da aka yarda a cikin adireshin imel. Don haka, don gudanar da umarnin ku, ya isa ku yi amfani da alamar “;” a cikin yanki na imel ɗin. da sarari, waɗanda ba a haɗa su a cikin saitin MAILADDR_ESCAPE kuma ba su tsira ba. Misali:
$ nc 127.0.0.1 25
HLO farfesa.falken
WAKOKIN DAGA:<;barci 66;>
RCPT ZUWA:
DATA
.
sallama
Bayan wannan zaman, OpenSMTPD, lokacin da aka kawo shi zuwa mbox, zai ƙaddamar da umarni ta cikin harsashi
/usr/libexec/mail.local -f ;barci 66; tushen
A lokaci guda, yiwuwar harin yana iyakance ta gaskiyar cewa ɓangaren gida na adireshin ba zai iya wuce haruffa 64 ba, da kuma haruffa na musamman '$' da '|' ana maye gurbinsu da ":" lokacin tserewa. Don ƙetare wannan iyakance, muna amfani da gaskiyar cewa ana watsa jikin harafin bayan ya gudana /usr/libexec/mail.local ta hanyar shigar da rafi, watau. Ta hanyar sarrafa adireshin, zaku iya ƙaddamar da fassarar umarni sh kawai kuma kuyi amfani da jikin harafin azaman saitin umarni. Tunda ana nuna masu kan sabis na SMTP a farkon harafin, ana ba da shawarar amfani da umarnin karantawa a madauki don tsallake su. Yin amfani da aiki yana kama da wani abu kamar haka:
$ nc 192.168.56.143 25
HLO farfesa.falken
MAIL DAGA:<;domin i a 0 1 2 3 4 5 6 7 8 9 abcd; karanta r; aikata;sh; fita 0;>
RCPT ZUWA:[email kariya]>
DATA
#0
#1
...
#d
don i a cikin WOPR; yi
echo -n "($i)" && id || karya
yi > /tushen/x."`id -u`.""$$"
.
sallama
source: budenet.ru