[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: zmailer: interpreter: cmd not found:

On Thu, Apr 22, 2004 at 05:15:30PM +0400, Eugene Crosser wrote:
> This seldom happens, but since it looks like a potential(!) security
> problem I am reporting it:

Like I said previously, I considered these happenings potential
problems too, but they were invisible until very recently.
(They sure have happened all the time -- very infrequently, of course.)

> Message from syslogd@gnome10 at Thu Apr 22 17:01:45 2004 ...
> gnome10 router[27573]: zmailer: interpreter: cmd not found:
> I think that it is related to interactive router.

Yes.  This particular case is due to script bug that has following diff:

Index: proto/cf/rrouter.cf
RCS file: /home/mea/src/CVSROOT/zmailer/proto/cf/rrouter.cf,v
retrieving revision 1.28
diff -u -r1.28 rrouter.cf
--- proto/cf/rrouter.cf	23 Nov 2003 13:32:02 -0000	1.28
+++ proto/cf/rrouter.cf	23 Apr 2004 07:52:44 -0000
@@ -105,7 +105,7 @@
 #		;;
 		# numeric internet spec
-		if $(selfmatch "\2") ; then
+		if [ "$(selfmatch "\2")" ] ; then

The result was, that when the selfmatch relation did result
successfull lookup, its result was being interpreted again
for a command -- implicite eval in the 'if'...
Putting it in quotes and "test"-command does solve that.
(Failed lookup didn't continue interpreting the result, and
successfull one didn't succeed in doing match resulting in
failed recognition of local addresses in obscure form...)

The usage thing:

If an address has domain part with IP address literal:
and that happens to be your machine's IP address, then
the address literal will be tried for execution as a command..
(which will most likely _fail_ no matter what.)

Any random string is possible to enter into it, but such will
yield lookup failure -> no "try that as a command" troubles.
even embedded spaces within brackets don't leak out and cause
IFS splits and thus potential executable command strings.

These IP-literal address forms are used by some spam relay
testers.  In interactive router mode the net result is
simply acceptance of something (into inside the system)
that should not be accepted.  Without interactive router
the thing would be accepted anyway...

Scary thing, but not a security hole.
We need to check the scripts for possible similar
"if" conditional usage bugs, though.  Elsewere
they might have potential for danger...

Ok forms are:

   if variable=assignment


   if [ test_routine .. ]

> Eugene

/Matti Aarnio	<mea@nic.funet.fi>
To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi