Hi From bugtraq: ------------------------------------------- Date: Sun, 18 Apr 2004 21:12 +0200 From: priestmaster@sms.at To: bugtraq@securityfocus.com Cc: vuldb@securityfocus.com Subject: ssmtp insecure file creation Hi, ssmtp 2.50.6 create a logfile /tmp/ssmtp.log. The data in this logfile is user specified. It's possible to overwrite any file with the permissons of the ssmtp program (normally root). The vulnerable call is in log_event. log_event vulnerable call: #ifdef LOGFILE if((fp = fopen("/tmp/ssmtp.log", "a")) != (FILE *)NULL) { (void)fprintf(fp, "%s\\n", buf); (void)fclose(fp); I think, that all versions of ssmtp are vulnerable to this bug. Have a nice day, priest@priestmaster.org http://www.priestmaster.org -------------------------------------------------------- Now I checked source on default gentoo installed version (2.48) and seems to have the codes but I dont think they get compiled unless LOGFILE is defined (which I dont see it to be defined) also grep "ssmtp.log" in the installed ssmtp binary doesnt find any match. So gentoo doesnt seem to be vulnerable to this bug but I wanted a second oppinion here and probably others too are interested on this matter. Reproducible: Always Steps to Reproduce:
could someone from net-mail look/patch as appropriate?
I also checked. Gentoo does not enable this nor could it even been enabled at all. FILE *fp; /* was missing from the code. */ solar@simple ssmtp-2.60 $ ./configure --enable-logfile .... solar@simple ssmtp-2.60 $ make gcc -Wall -DSTDC_HEADERS=1 -DHAVE_LIMITS_H=1 -DHAVE_STRINGS_H=1 -DHAVE_SYSLOG_H=1 -DHAVE_UNISTD_H=1 -DHAVE_LIBNSL=1 -DRETSIGTYPE=void -DHAVE_VPRINTF=1 -DHAVE_GETHOSTNAME=1 -DHAVE_SOCKET=1 -DHAVE_STRDUP=1 -DHAVE_STRSTR=1 -DLOGFILE=1 -DREWRITE_DOMAIN=1 -DSSMTPCONFDIR=\"/usr/local/etc/ssmtp\" -DCONFIGURATION_FILE=\"/usr/local/etc/ssmtp/ssmtp.conf\" -DREVALIASES_FILE=\"/usr/local/etc/ssmtp/revaliases\" -c -o ssmtp.o ssmtp.c ssmtp.c: In function `log_event': ssmtp.c:109: error: `fp' undeclared (first use in this function) ssmtp.c:109: error: (Each undeclared identifier is reported only once ssmtp.c:109: error: for each function it appears in.) make: *** [ssmtp.o] Error 1 This would of not worked in the first place.. None the less I fixed it and put it in portage as ssmtp-2.60.7.. if --enable-logfile is enabled now it will go to /dev/stdout unless -DLOGFILE_FILENAME="/path/to/some/filename" is defined.
If the code in question doesn't even compile, I think it's safe to assume this isn't an issue we need to worry about. I'm going to close this for now. If anyone disagrees, by all means please reopen it.
