Ka har'a seva ea mangolo e ntlafalitsoeng ke morero oa OpenBSD tsebahatsoa (CVE-2020-7247), e u lumellang hore u phethe litaelo tsa khetla ho seva ka litokelo tsa motso. Bofokoli bo ile ba bonoa nakong ea tlhahlobo e entsoeng ke Qualys Security (tlhahlobo e fetileng ea OpenSMTPD). ka 2015, mme ts'oaetso e ncha e bile teng ho tloha ka May 2018). Bothata ho OpenSMTPD 6.6.2 tokollo. Basebelisi bohle ba khothaletsoa ho kenya sesebelisoa hang-hang (bakeng sa OpenBSD, patch e ka kenngoa ka syspatch).
Ho se ho sisintswe mefuta e 'meli ea tlhaselo. Mofuta oa pele o sebetsa le tlhophiso ea kamehla ea OpenSMTPD (e amohelang likopo ho tsoa ho localhost feela) 'me e lumella ts'ebeliso ea lehae ha mohlaseli a na le phihlello ea sebopeho sa marang-rang a lehae (loopback) ho seva (mohlala, litsamaisong tsa ho amohela). Mofuta oa bobeli o etsahala ha OpenSMTPD e hlophisitsoe ho amohela likopo tsa marang-rang a kantle (seva ea mangolo e amohelang mangolo a motho oa boraro). Bafuputsi ba lokisitse prototype exploit e sebetsang ka katleho le mofuta oa OpenSMTPD o kenyellelitsoeng le OpenBSD 6.6 le mofuta o nkehang habobebe bakeng sa litsamaiso tse ling tse sebetsang (e etsoang ka Debian Teko).
Bothata bo bakoa ke phoso mosebetsing oa smtp_mailaddr (), o bitsoang ho lekola ho nepahala ha litekanyetso "MAIL FROM" le "RCPT TO" masimong a hlalosang motho ea romelang / moamoheli mme a fetisoa nakong ea khokahano. le seva sa mangolo. Ho sheba karolo ea aterese ea lengolo-tsoibila e tlang pele ho letšoao la "@", smtp_mailaddr() ts'ebetso e bitsoa.
valid_localpart(), e amohelang (MAILADDR_ALLOWED) litlhaku "!#$%&'*/?^`{|}~+-=_", joalo ka ha ho hlokoa ke RFC 5322.
Tabeng ena, ho phonyoha ka ho otloloha ha mohala ho etsoa mosebetsing oa mda_expand_token(), o nkang sebaka sa litlhaku feela "!#$%&'*?`{|}~" (MAILADDR_ESCAPE). Ka mor'a moo, mohala o lokiselitsoeng ho mda_expand_token() o sebelisoa ha o letsetsa moemeli oa thepa (MDA) o sebelisa taelo ea 'execle("/bin/sh", "/bin/sh", "-c", mda_command,...' Tabeng ea ho beha litlhaku ho mbox ka /bin/sh, mola "/usr/libexec/mail.local -f %%{mbox.from} %%{username}" e qalisoa, moo boleng ba "% {mbox.from}” e kenyelletsa lintlha tse phonyohileng ho tsoa ho paramethara ea "MAIL FROM".
Ntho ea bohlokoa ea ho ba kotsing ke hore smtp_mailaddr() e na le phoso e utloahalang, ka lebaka leo, haeba sebaka se se nang letho se romelloa ho imeile, mosebetsi o khutlisa khoutu e atlehileng ea ho netefatsa, le haeba karolo ea aterese pele ho "@" e na le litlhaku tse sa nepahaleng. . Ho feta moo, ha u lokisetsa khoele, mosebetsi oa mda_expand_token () ha o balehe litlhaku tse khethehileng tsa khetla, empa ke litlhaku tse khethehileng feela tse lumelloang atereseng ea imeile. Kahoo, ho tsamaisa taelo ea hau, ho lekane ho sebelisa letšoao la ";" karolong ea lehae ea lengolo-tsoibila. le sebaka, tse sa kenyelletswang ho MAILADDR_ESCAPE sete mme ha di phonyohe. Ka mohlala:
$nc 127.0.0.1 25
HELO moprofesa.falken
MAILWE A TSOANG:<;robala 66;>
RCPT HO:
Data
.
Tlohela
Kamora lenaneo lena, OpenSMTPD, ha e isoa ho mbox, e tla hlahisa taelo ka khetla
/usr/libexec/mail.local -f ;robala 66; motso
Ka nako e ts'oanang, menyetla ea tlhaselo e lekantsoe ke taba ea hore karolo ea lehae ea aterese e ke ke ea feta litlhaku tse 64, le litlhaku tse khethehileng '$' le '|' li nkeloa sebaka ke ":" ha u baleha. Ho qoba moeli ona, re sebelisa taba ea hore 'mele oa lengolo o fetisoa ka mor'a ho matha /usr/libexec/mail.local ka molapo o kenang, ke hore. Ka ho qhekella aterese, o ka qala mofetoleli oa taelo ea sh le ho sebelisa 'mele oa lengolo joalo ka sete sa litaelo. Kaha lihlooho tsa tšebeletso tsa SMTP li bontšitsoe qalong ea lengolo, ho kgothaletswa ho sebedisa taelo e balwang ka loop ho e tlola. Mokhoa oa ho sebetsa o shebahala tjena:
$nc 192.168.56.143 25
HELO moprofesa.falken
MAIL HO TSOA:<;hobane ke ho 0 1 2 3 4 5 6 7 8 9 abcd;etsa bala r;e felile;sh;tsoa 0;>
RCPT HO:
Data
#0
#1
...
#d
hobane ke ho WOPR; etsa
echo -n "($i) " && id || senya
entseng > /root/x."`id -u`.""$$"
.
Tlohela
Source: opennet.ru
