Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 132376

Summary: Information leak in mail-mta/ssmtp leads to password exposure
Product: Gentoo Security Reporter: Ben XO <gentoo>
Component: AuditingAssignee: Gentoo Security <security>
Status: RESOLVED WONTFIX    
Severity: minor CC: lcars, weyhan
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4?
Package list:
Runtime testing required: ---
Attachments: always set minus_v to False when spitting out password

Description Ben XO 2006-05-05 13:28:06 UTC 
Verified in mail-mta/ssmtp-2.61-r1, which is the latest I see in portage.

ssmtp allows you to specify a mail relay in /etc/ssmtp/ssmtp.conf which requires a username and password. For example, this is a valid ssmtp.conf:



mailhub=mail.1dnb.com
rewriteDomain=mail.1dnb.com
#hostname=
FromLineOverride=YES
#UseTLS=NO
UseSTARTTLS=YES
AuthUser=me@ben-xo.com
AuthPass=123456
AuthMethod=LOGIN


naturally, my AUTH SMTP password is in there - so I have done the following:

chown root:mail /etc/ssmtp/ssmtp.conf
chmod 640 /etc/ssmtp/ssmtp.conf
chown root:mail /usr/sbin/ssmtp
chmod 2711 /usr/sbin/ssmtp

giving...

-rw-r----- 1 root mail  1279 2006-05-05 19:39 /etc/ssmtp/ssmtp.conf
-rwx--s--x 1 root mail 27268 2006-05-05 19:28 /usr/sbin/ssmtp

...as intended.

however, as an unprivileged user,

xo@marshmallow ~ $ mail -v -s 'This is a test.' test@gentoo.org
Hi. Nothing else.
Cc:
[<-] 220 rain.1dnb.com ESMTP
[->] EHLO marshmallow
[<-] 250 SIZE 0
[->] STARTTLS
[<-] 220 ready for tls
[->] EHLO marshmallow
[<-] 250 SIZE 0
[->] AUTH LOGIN bWVAYmVuLXhvLmNvbQ==
[<-] 334 UGFzc3dvcmQ6
[->] MTIzNDU2
[<-] 235 ok, go ahead (#2.0.0)
[->] MAIL FROM:<xo@mail.1dnb.com>
[<-] 250 ok
[->] RCPT TO:<test@gentoo.org>
[<-] 250 ok
[->] DATA
[<-] 354 go ahead
[->] Received: by marshmallow (sSMTP sendmail emulation); Fri,  5 May 2006 21:23:02 +0100
[->] From: xo@mail.1dnb.com
[->] Date: Fri,  5 May 2006 21:23:02 +0100
[->] To: test@gentoo.org
[->] Subject: This is a test.
[->]
[->] Hi. Nothing else.
[->] .
[<-] 250 ok 1146860502 qp 8976
[->] QUIT
[<-] 221 rain.1dnb.com


All I can say is... oops. As you can see, the password is quite clearly visible in the output (albeit base64 encoded).

Patch attached that removes this specific information leak (the rest of the info is left in for debugging). 

A more secure (optional?) patch would possibly remove the username, or the -v option altogether.

with the patch, we get the following output instead:

xo@marshmallow ~ $ mail -v -s "a test! hah." me@ben-xo.com
Hi. This is all, 2.
Cc:
[<-] 220 rain.1dnb.com ESMTP
[->] EHLO marshmallow
[<-] 250 SIZE 0
[->] STARTTLS
[<-] 220 ready for tls
[->] EHLO marshmallow
[<-] 250 SIZE 0
[->] AUTH LOGIN bWVAYmVuLXhvLmNvbQ==
[<-] 334 UGFzc3dvcmQ6
[<-] 235 ok, go ahead (#2.0.0)
[->] MAIL FROM:<root@mail.1dnb.com>
[<-] 250 ok
[->] RCPT TO:<me@ben-xo.com>
[<-] 250 ok
[->] DATA
[<-] 354 go ahead
[->] Received: by marshmallow (sSMTP sendmail emulation); Fri,  5 May 2006 21:26:59 +0100
[->] From: "root" <root@mail.1dnb.com>
[->] Date: Fri,  5 May 2006 21:26:59 +0100
[->] To: me@ben-xo.com
[->] Subject: a test! hah.
[->]
[->] Hi. This is all, 2.
[->] .
[<-] 250 ok 1146860738 qp 31085
[->] QUIT
[<-] 221 rain.1dnb.com
Comment 1 Ben XO 2006-05-05 13:29:04 UTC 
Created attachment 86218 [details, diff]
always set minus_v to False when spitting out password
Comment 2 Ben XO 2006-05-05 13:43:24 UTC 
does this package originally come from debian...? guess it would need to go upstream.

I feel a lot more "comfortable" posting it here though, I don't use Debian for anything.
Comment 3 Stefan Cornelius (RETIRED) gentoo-dev 2006-05-14 05:42:51 UTC 
lcars, sounds like another thing for you? please have a look, thanks
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-05-14 09:29:39 UTC 
Reassigning to security since bug-wranglers are not able to see security restricted bugs.
Comment 5 Ben XO 2006-05-14 09:37:43 UTC 
Thanks Stefan / Sune, it wasn't obvious to me that ticking "Gentoo Security" was not enough for this bug to be seen by the appropriate assignee.
Comment 6 Andrea Barisani (RETIRED) gentoo-dev 2006-05-14 20:34:42 UTC 
busy this week but I'll try to take a look soon, will try to contact upstream
about it. (it would probably require a GLSA as well, or at least I'll vote for it)
Comment 7 Andrea Barisani (RETIRED) gentoo-dev 2006-05-23 02:06:21 UTC 
(In reply to comment #3)
> lcars, sounds like another thing for you? please have a look, thanks
> 

No time this and next week to sort this (travelling), so if you have someone else that can look at it please proceed. thx
Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-16 11:12:58 UTC 
Andrea any news on this one?
Comment 9 Ben XO 2006-06-16 11:15:35 UTC 
i reported it upstream with no response or acknowledgement other than the automated debian thingy.

either the maintainer's gone awol, or i'm doing something wrong (which is definitely possible :)
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-30 09:31:44 UTC 
Any news on this one?
Comment 11 Ben XO 2006-07-01 03:57:14 UTC 
The latest I see in portage is now ssmtp-2.61-r31, which by inspecting the ebuild  does not appear to patch for this bug
Comment 12 Ben XO 2006-08-05 09:05:39 UTC 
3 months later...?
Comment 13 Tim Yamin (RETIRED) gentoo-dev 2006-08-08 16:13:29 UTC 
(In reply to comment #12)
> 3 months later...?

Andrea has been very busy lately and hasn't had much time to look at things -- I suggest you send off a report to the vendor-sec list <vendor-sec@lst.de> as this affects several distributions (Debian, Gentoo, Ubuntu, possibly some others).
Comment 14 Ben XO 2006-08-08 16:31:08 UTC 
ok, thanks for your suggestion. I have now done so. :) 

Sorry, I didn't mean to put unwanted pressure on busy people.
Comment 15 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-08-10 00:42:07 UTC 
Rerating as this seems to be a B4.
Comment 16 Tavis Ormandy (RETIRED) gentoo-dev 2006-08-24 11:35:54 UTC 
sorry, but while you may want to take this up with the author, giving random applications sgid and then being able to own them is not a security issue.

Obviously I would suggest you ask the author to add support for privileged operation to smtp.

RESOLVED => WONTFIX.
Comment 17 Ben XO 2006-08-24 11:51:29 UTC 
surely there should be at the very least some documentation that mail-mta/ssmtp is inherently insecure and should not be used in the (perfectly reasonable) configuration i described? 

i am unlikely to be the only person with a shared system that has a mailhub that requires a password that is using the default Gentoo smtp client. i find it quite disturbing that it's the default client if you do not recommend using it in what seems to me to be a perfectly typical configuration.

If you think I should open my concern under a new bug (perhaps as a documentation bug?), then I certainly will.
Comment 18 Tavis Ormandy (RETIRED) gentoo-dev 2006-08-24 12:09:03 UTC 
Ben: I think it's a perfectly reasonable feature request, and i see no reason why the author would turn it down, and even if he does, I'm sure you could convince our maintainer to add it..it seems like a good idea to me.

I just dont think we can consider this a security bug, if you were to refile it as an application bug, I'm sure the maintainer would take a look at it.
Comment 19 Jakub Moc (RETIRED) gentoo-dev 2007-08-05 20:30:02 UTC 
*** Bug 187841 has been marked as a duplicate of this bug. ***