Security fixes in renattach 1.2.1e 2004-10-03 13:00 CDT EXECUTIVE SUMMARY A security weakness exists in renattach 1.2.0 and 1.2.1, although there DOES NOT appear to be a practical way to exploit the code for remote access, arbitrary execution, or other immediate damage. The weakness only applies to the --pipe facility. The problem has been fixed in beta version 1.2.1e (soon to become 1.2.2 release). Sites testing 1.2.1e should read the new instructions for --pipe, below. Your feedback on the 1.2.1e build is requested, as we prepare 1.2.2. CURRENT VERSION http://www.pc-tools.net/beta/renattach/renattach-1.2.1e.tar.gz DESCRIPTION OF PROBLEM renattach 1.2.0 and 1.2.1 used the popen() function in order to provide the --pipe facility, to send output to an external command. Internally, popen() used sh which introduces shell manipulation risks. renattach removes dangerous shell characters from the command line to reduce this risk, but execution via shell is still inherently risky. Note that the author has not been informed of any actual exploit or demonstration of an attack that could lead to remote access. Immediate risk appears to be low. DESCRIPTION OF FIX This dangerous --pipe implementation has now been replaced (in 1.2.1e and for the upcoming 1.2.2 release) with a direct fork/exec, using unmodified original arguments. This entirely avoids shell interpretation problems. An additional benefit is improved integration with (e.g.) Postfix. renattach overhead has also decreased, since sh is no longer forked (fewer PIDs). IMPORTANT NOTES ON MAKE AND INSTALL Please consult the ChangeLog for a complete description of changes since 1.2.1 release. The changes to the software have not yet been reflected in the man page or installation instructions. Please check the build process and inform us of any errors. Some changes have been made in order to accommodate OS/2, win32, and other non-UNIXes. The --pipe feature, if used, now has to be the last option on the command line. The command name (specify full path) and arguments after --pipe are taken as-is. DO NOT use quotation marks around this command to execute. Run with --verbose to see details on the command, arguments, and exit code of the external command. For Postfix integration, /etc/postfix/master.cf should now contain: /path/to/renattach -p /path/to/sendmail -i -f ${sender} -- ${recipient} Note that quotation marks are no longer included in the command line. -- Jem Berkes, SysDesign [ www.sysdesign.ca ] Email: jberkes@pc-tools.net