(Sorry for the "CVE-2015-ABCD" place-holders in the report, but OpenSMTPD's developers were ready with the patches before MITRE was ready with the CVE-IDs.) Qualys Security Advisory OpenSMTPD Audit Report ======================================================================== Contents ======================================================================== Summary Approach Local Vulnerabilities Remote Vulnerabilities Inter-Process Vulnerabilities Miscellaneous Bugs Acknowledgments ======================================================================== Summary ======================================================================== For the past few months, one of our background projects has been to audit OpenSMTPD, a free implementation of the server-side Simple Mail Transfer Protocol (SMTP). OpenSMTPD replaces Sendmail as OpenBSD's default Mail Transfer Agent (MTA) since OpenBSD 5.6, released on November 1, 2014. OpenSMTPD was designed to be secure, reliable, performant, and easy to configure. Indeed, its codebase lives up to OpenBSD's reputation: it is clean, modular, privilege-separated, and made our audit easy and really enjoyable. However, the project is pretty much in its infancy (the first stable version, 5.3, was released on March 17, 2013), which explains why we discovered various vulnerabilities during our security assessment: - an oversight in the portable version of fgetln() that allows attackers to read and write out-of-bounds memory; - multiple denial-of-service vulnerabilities that allow local users to kill or hang OpenSMTPD; - a stack-based buffer overflow that allows local users to crash OpenSMTPD, or execute arbitrary code as the non-chrooted _smtpd user; - a hardlink attack (or race-conditioned symlink attack) that allows local users to unset the chflags() of arbitrary files; - a hardlink attack that allows local users to read the first line of arbitrary files (for example, root's hash from /etc/master.passwd); - a denial-of-service vulnerability that allows remote attackers to fill OpenSMTPD's queue or mailbox hard-disk partition; - an out-of-bounds memory read that allows remote attackers to crash OpenSMTPD, or leak information and defeat the ASLR protection; - a use-after-free vulnerability that allows remote attackers to crash OpenSMTPD, or execute arbitrary code as the non-chrooted _smtpd user; - multiple inter-process vulnerabilities that allow attackers to escalate from one (already-compromised) OpenSMTPD process to another. ======================================================================== Approach ======================================================================== The OpenSMTPD version that we audited is available at: http://ift.tt/1LsoX1I and is installed by default on OpenBSD's latest release (OpenBSD 5.7, released on May 1, 2015). Unless otherwise noted, the vulnerabilities that we discovered in OpenSMTPD 5.4.4p1 affect OpenSMTPD's latest release as well (OpenSMTPD 5.7.1p1, released on June 30, 2015). The "hybrid approach" that we adopted to review OpenSMTPD is described in the bible of code auditing, "The Art of Software Security Assessment" (by Mark Dowd, John McDonald, and Justin Schuh): - We started with a "top-down approach" and reviewed the high-level information that we gathered on OpenSMTPD: READMEs, manual pages, web pages (http://ift.tt/1iYlevB and https://www.poolp.org/). This approach allowed us to quickly understand OpenSMTPD's design (seven privilege-separated, long-running, and event-driven processes that communicate through UNIX sockets and the imsg API) and identify its attack surface (local, remote, and inter-process entry points). - We continued with a "bottom-up approach" and reviewed OpenSMTPD's implementation: the lowest-level code first (openbsd-compat/ and smtpd/mproc.c), followed by the higher-level code. This approach allowed us to quickly identify complex vulnerabilities: the remote out-of-bounds memory read and use-after-free are actually a combination of several low-level and high-level bugs.
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment