Mune mail server yakagadziridzwa neiyo OpenBSD purojekiti kuzivikanwa (CVE-2020-7247), iyo inokutendera kuti uite kure kure mirairo yegomba pane sevha ine midzi yemushandisi kodzero. Kusagadzikana kwakaonekwa panguva yekuongororwazve kwakaitwa neQualys Security (yapfuura OpenSMTPD odhita. muna 2015, uye kusagadzikana kutsva kwave kuripo kubva muna Chivabvu 2018). Dambudziko mu OpenSMTPD 6.6.2 kuburitswa. Vese vashandisi vanokurudzirwa kuti vangoisa iyo yekuvandudza (yeOpenBSD, chigamba chinogona kuiswa kuburikidza ne syspatch).
Sarudzo mbiri dzekurwisa dzinotsanangurwa. Sarudzo yekutanga inoshanda mune yakasarudzika OpenSMTPD kumisikidza (kugamuchira zvikumbiro chete kubva kune localhost) uye inobvumidza iwe kushandisa dambudziko munharaunda, kana anorwisa achinge akwanisa kuwana yemuno network interface (loopback) pane sevha (semuenzaniso, pane yekutambira masisitimu) . Yechipiri sarudzo inoitika kana OpenSMTPD yakagadziridzwa kuti igamuchire ekunze network zvikumbiro (sevha yetsamba inogamuchira yechitatu-bato tsamba). Vatsvagiri vakagadzira prototype yekubiridzira inoshanda zvinobudirira zvese neOpenSMTPD vhezheni inosanganisirwa muOpenBSD 6.6 uye ine inotakurika vhezheni yemamwe masisitimu anoshanda (akaitwa muDebian Testing).
Dambudziko rinokonzerwa nekukanganisa mu smtp_mailaddr () basa, rinodaidzwa kuti ritarise kurongeka kwehunhu mu "MAIL FROM" uye "RCPT TO" minda inotsanangura mutumi / mugamuchiri uye inopfuudzwa panguva yekubatanidza. ne mail server. Kuti utarise chikamu chekero yeemail inouya pamberi pechiratidzo che "@", iyo smtp_mailaddr () basa rinonzi.
valid_localpart(), iyo inogamuchira (MAILADDR_ALLOWED) mavara "!#$%&'*/?^`{|}~+-=_", sezvinodiwa neRFC 5322.
Pakadai, kupukunyuka kwakananga kwetambo kunoitwa mumda_expand_token() basa, rinotsiva chete mavara "!#$%&'*?`{|}~" (MAILADDR_ESCAPE). Zvadaro, mutsara wakagadzirirwa mu mda_expand_token() unoshandiswa pakushevedza mumiririri wekutumira (MDA) uchishandisa murairo 'execle("/bin/sh", "/bin/sh", "-c", mda_command,...' Kana ukaisa mabhii ku mbox kuburikidza ne/bin/sh, mutsetse wekuti β/usr/libexec/mail.local -f %%{mbox.from} %%{username}β unotangwa, uko kukosha kweβ% {mbox.from}β inosanganisira data yatiza kubva pa"MAIL FROM" parameter.
Chinokosha chekusagadzikana ndechekuti smtp_mailaddr() ine chikanganiso chine musoro, nekuda kwekuti, kana isina chinhu domain yakatumirwa kuemail, basa racho rinodzosera yakabudirira kodhi yekusimbisa, kunyangwe chikamu chekero isati "@" ine mavara asina kukodzera. . Kupfuurirazve, kana uchigadzira tambo, iyo mda_expand_token() basa haitize ese anogona ganda akakosha mavara, asi akakosha mavara anotenderwa mukero yeemail. Saka, kumhanyisa kuraira kwako, zvakakwana kushandisa iyo ";" chiratidzo muchikamu chenzvimbo yeemail. uye nzvimbo, isina kuverengerwa muMAILADDR_ESCAPE seti uye haina kupukunyuka. Semuyenzaniso:
$nc 127.0.0.1 25
HELO muzvinafundo.falken
MAIL KUBVA:
RCPT KUTI:
dhata
.
AREGE KUSVUTA
Mushure mechikamu ichi, OpenSMTPD, kana yaunzwa kumbox, ichavhura rairo kuburikidza negoko
/usr/libexec/mail.local -f ;kurara 66; mudzi
Panguva imwecheteyo, mikana yekurwisa inoganhurwa nenyaya yekuti chikamu chenzvimbo yekero hachigone kudarika mavara makumi matanhatu nemana, uye mavara akakosha '$' uye '|' anotsiviwa ne ":" paanenge atiza. Kuti tipfuure muganhu uyu, tinoshandisa chokwadi chokuti muviri wetsamba unotumirwa mushure mekushanda /usr/libexec/mail.local kuburikidza nehova yekupinda, i.e. Nekushandisa kero, unogona chete kuvhura sh command muturikiri uye kushandisa muviri wetsamba seti yemirairo. Sezvo sevhisi misoro yeSMTP ichiratidzwa pakutanga kwetsamba, zvinokurudzirwa kushandisa murairo wekuverenga mulop kuti uvasvetuke. Basa rekushanda rinotaridzika seizvi:
$nc 192.168.56.143 25
HELO muzvinafundo.falken
MAIL KUBVA:
RCPT KUTI: <[email inodzivirirwa]>
dhata
#0
#1
...
#d
nokuti ndiri muW O P R; ita
echo -n "($i) " && id || break
zvaitwa > /root/x."`id -u`." "$$"
.
AREGE KUSVUTA
Source: opennet.ru