[Comm] [wietse@porcupine.org: Postfix CA-2003-12 Preliminary REJECT pattern]

[Comm] [wietse@porcupine.org: Postfix CA-2003-12 Preliminary REJECT pattern]

[Dmitry V. Levin]

[-- Attachment #1: Type: text/plain, Size: 1953 bytes --]

Для тех, у кого в сети есть sendmail.

----- Forwarded message from Wietse Venema <wietse@porcupine.org> -----

Date: Sun, 30 Mar 2003 09:55:31 -0500 (EST)
From: wietse@porcupine.org (Wietse Venema)
To: Postfix announce <postfix-announce@postfix.org>
Cc: Postfix users <postfix-users@postfix.org>
Subject: Postfix CA-2003-12 Preliminary REJECT pattern

CERT advisory CA-2003-12 is about a Sendmail buffer overflow exploit
that can happen with message headers containing the 0xff byte value.

According to the documentation from Sendmail, some exploits can be
stopped by avoiding 0xff bytes in message headers.  The solution
is partial because downstream Sendmail systems may use untrusted
information from the DNS while (re)writing headers, and someone
could insert 0xff characters that way.

One quick way to implement the partial solution is to specify a
header_checks REGEXP pattern that rejects message headers with 0xff
characters.  Specifying numerical character codes in REGEXP patterns
turns out to be painful.  Here is a somewhat clumsy method to
specify a 0xff matching REGEXP:

awk '
    BEGIN { 
	printf "/%c/ REJECT Possible CA-2003-12 exploit\n",255
	exit
    }
' >/etc/postfix/block255

/etc/postfix/main.cf:
    header_checks = /etc/postfix/block255 ...other_files...

Tested with FreeBSD 4, Redhat 8, Solaris 9, all running on Intel.

Raw binary data such as 0xff may cause trouble with text editors.
Therefore, the above example uses a separate file for blocking
the 0xff character instead of appending the pattern to an existing
header_checks file.

Please, do not reply to me and suggest REGEXP patterns using \0377
or \xff. They are outside the re_format(7) spec and will not work
for everyone.

The equivalent PCRE pattern may be easier to specify, but PCRE
support is not universally available with Postfix.

Since I am packing for yet another a trip, this is all I can do now.

	Wietse

----- End forwarded message -----

--
ldv

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [Comm] [wietse@porcupine.org: Postfix CA-2003-12 Preliminary REJECT pattern]

[ASA]

Hello Dmitry,

Monday, March 31, 2003, 2:56:10 AM, you wrote:

DVL> Для тех, у кого в сети есть sendmail.

...

DVL> To: Postfix announce <postfix-announce@postfix.org>
DVL> Cc: Postfix users <postfix-users@postfix.org>
DVL> Subject: Postfix CA-2003-12 Preliminary REJECT pattern

Странно, до сих пор я думал, что sendmail и postfix - разные
программы ;)
(наличие /usr/sbin/sendmail в расчет не берется)

-- 
Best regards,
 ASA                            mailto:llb@udm.ru

Re: [Comm] [wietse@porcupine.org: Postfix CA-2003-12 Preliminary REJECT pattern]

[Ilya Palagin]

ASA wrote:
> Hello Dmitry,
> 
> Monday, March 31, 2003, 2:56:10 AM, you wrote:
> 
> DVL> Для тех, у кого в сети есть sendmail.
> 
> ...
> 
> DVL> To: Postfix announce <postfix-announce@postfix.org>
> DVL> Cc: Postfix users <postfix-users@postfix.org>
> DVL> Subject: Postfix CA-2003-12 Preliminary REJECT pattern
> 
> Странно, до сих пор я думал, что sendmail и postfix - разные
> программы ;)
> (наличие /usr/sbin/sendmail в расчет не берется)
> 
Wietse Venema рассылает рекомендации по фильтрации опасных
заголовков по каждой дыре в sendmail. Делается это для того,
чтобы защитить машины с sendmail, которые могут находиться
во внутренней сети.