A security weakness exists in renattach 1.2.0 and 1.2.1, although there does not appear to be a practical way to exploit the code for remote access, arbitrary execution, or other immediate damage. The weakness only applies to the --pipe facility. The problem has been fixed in beta version 1.2.1e (soon to become 1.2.2 release).
db108612758ccded9c534e95a3bc8a27785ac15c0c5e685d14c1eb625191e746
Security fixes in renattach 1.2.1e
2004-10-03 13:00 CDT
EXECUTIVE SUMMARY
A security weakness exists in renattach 1.2.0 and 1.2.1, although
there DOES NOT appear to be a practical way to exploit the code for
remote access, arbitrary execution, or other immediate damage. The
weakness only applies to the --pipe facility. The problem has been
fixed in beta version 1.2.1e (soon to become 1.2.2 release). Sites
testing 1.2.1e should read the new instructions for --pipe, below.
Your feedback on the 1.2.1e build is requested, as we prepare 1.2.2.
CURRENT VERSION
https://www.pc-tools.net/beta/renattach/renattach-1.2.1e.tar.gz
DESCRIPTION OF PROBLEM
renattach 1.2.0 and 1.2.1 used the popen() function in order to provide
the --pipe facility, to send output to an external command. Internally,
popen() used sh which introduces shell manipulation risks. renattach
removes dangerous shell characters from the command line to reduce this
risk, but execution via shell is still inherently risky. Note that the
author has not been informed of any actual exploit or demonstration of an
attack that could lead to remote access. Immediate risk appears to be low.
DESCRIPTION OF FIX
This dangerous --pipe implementation has now been replaced (in 1.2.1e and
for the upcoming 1.2.2 release) with a direct fork/exec, using unmodified
original arguments. This entirely avoids shell interpretation problems. An
additional benefit is improved integration with (e.g.) Postfix. renattach
overhead has also decreased, since sh is no longer forked (fewer PIDs).
IMPORTANT NOTES ON MAKE AND INSTALL
Please consult the ChangeLog for a complete description of changes since
1.2.1 release. The changes to the software have not yet been reflected in
the man page or installation instructions.
Please check the build process and inform us of any errors. Some changes
have been made in order to accommodate OS/2, win32, and other non-UNIXes.
The --pipe feature, if used, now has to be the last option on the command
line. The command name (specify full path) and arguments after --pipe are
taken as-is. DO NOT use quotation marks around this command to execute.
Run with --verbose to see details on the command, arguments, and exit
code of the external command.
For Postfix integration, /etc/postfix/master.cf should now contain:
/path/to/renattach -p /path/to/sendmail -i -f ${sender} -- ${recipient}
Note that quotation marks are no longer included in the command line.
--
Jem Berkes, SysDesign [ www.sysdesign.ca ]
Email: jberkes@pc-tools.net