[Devel] [Users] checkhack-zimbra-preferences shell escape issues

Keith McDermott keithmcd at purdue.edu
Tue Jun 7 14:32:39 CEST 2016


Hi Barry,

I can't remember if it was noted on Git or not, but this was written for 
ZCS6.  We never had issues like this happen in our usage of the script 
for the past 5-6 years.  There would be an odd thing very rarely that 
would cause key/pairs to get messed up, but it always created one file 
per user.

Perhaps something's changed in some of the commands that are being ran 
since ZCS6?

Files should be created such as:

/tmp/zimbra-preferences-scores/2016-06-16/keithmcd

-keith


Keith McDermott
Messaging Systems Administrator
ITIS, ITaP
Purdue University

E-mail: keithmcd at purdue.edu
Address:155 S. Grant Street
         West Lafayette, IN 47907
         
"The road to wisdom, well, it's plain and simple to express,
  Err and err and err again, but less and less and less."
  - Piet Hein

On 6/7/16 00:49, Barry De Graaff wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello All,
>
> I looked into checkhack-zimbra-preferences, it seems like writing it took a lot of time, and
> it is a great effort.
>
> However, I was able to crash the script by adding a plain-text signature for a user (see attached).
> The script would then try to create arbitrary files on the server file system. That does suggest
> shell escaping is not being done properly by this script.
>
> [root at myzimbra ~]#  /usr/local/sbin/checkhack-zimbra-preferences.sh
> /tmp/zimbra-preferences-scores/2016-06-06/admin
> /tmp/zimbra-preferences-scores/2016-06-06/if
> /tmp/zimbra-preferences-scores/2016-06-06/zimbrapreffromaddress
> /tmp/zimbra-preferences-scores/2016-06-06/zimbraprefidentityname
> /tmp/zimbra-preferences-scores/2016-06-06/zimbraprefmailforwardingaddress:*|zimbraprefmaillocaldeliverydisabled:*|zimbraprefsavetosent:*|zimbrasignaturename:*|zimbraprefmailsignature:*|zimbraprefmailsignaturehtml:*|zimbraprefidentityname:*|zimbrapreffromdisplay:*|zimbrapreffromaddress:*|zimbraprefreplytodisplay:*|zimbraprefreplytoaddress:*)
if
> /usr/local/sbin/checkhack-zimbra-preferences.sh[420]: /tmp/zimbra-preferences-scores/2016-06-06/zimbraprefmailforwardingaddress:*|zimbraprefmaillocaldeliverydisabled:*|zimbraprefsavetosent:*|zimbrasignaturename:*|zimbraprefmailsignature:*|zimbraprefmailsignaturehtml:*|zimbraprefidentityname:*|zimbrapreffromdisplay:*|zimbrapreffromaddress:*|zimbraprefreplytodisplay:*|zimbraprefreplytoaddress:*)
if: cannot create [File name too long]
> /tmp/zimbra-preferences-scores/2016-06-06/zimbrasignaturename
>
>
> [root at myzimbra ~]# ls --full-time /tmp/zimbra-preferences-scores/2016-06-06/
> total 20
>   - -rw-------. 1 root root 2 2016-06-06 21:19:12.137399697 +0200 admin
>   - -rw-------. 1 root root 2 2016-06-06 21:19:12.145399735 +0200 if
>   - -rw-------. 1 root root 2 2016-06-06 21:19:12.152399768 +0200 zimbrapreffromaddress
>   - -rw-------. 1 root root 2 2016-06-06 21:19:12.162399815 +0200 zimbraprefidentityname
>   - -rw-------. 1 root root 2 2016-06-06 21:19:12.172399863 +0200 zimbrasignaturename
>
>
> Means, it tried to create a file with name:
> /tmp/zimbra-preferences-scores/2016-06-06/zimbraprefmailforwardingaddress:*|zimbraprefmaillocaldeliverydisabled:*|zimbraprefsavetosent:*|zimbrasignaturename:*|zimbraprefmailsignature:*|zimbraprefmailsignaturehtml:*|zimbraprefidentityname:*|zimbrapreffromdisplay:*|zimbrapreffromaddress:*|zimbraprefreplytodisplay:*|zimbraprefreplytoaddress:*)
if
>
> This is potentially unsafe, I would require me to rewrite the script to make sure it escapes
> all user input. Considering this is a script to prevent hackers and spammer from abusing
> services, I do not think I can use it, as is.
>
> See: https://github.com/Zimbra-Community/zimbra-tools/blob/master/checkhack-zimbra-preferences
>
> Kind regards,
>
> Barry de Graaff
> Zeta Alliance Founder
> www.zetalliance.org
>
> Skype: barrydegraaff.tk
> Fingerprint: 9e0e165f06b365ee1e47683e20f37303c20703f8
> -----BEGIN PGP SIGNATURE-----
> Version: OpenPGP.js v2.3.0
> Comment: http://openpgpjs.org
>
> wsFcBAEBCAAQBQJXVlI7CRAg83MDwgcD+AAA3sYP/39cS834bckQ6FPHnqeW
> edqoURVfuVHqH4TbMIOTg0hkiBp1bKBvv30XF9ObxBUsK8+MhAuj0EeTMeYN
> RGuHC3hRX7e9F1miogAVGEHjkfUws3JqZB9FuPquOtCEPsbgMaRlrHeSD62K
> 9JynIoOG65jdM7FEpJpnjB/iOAfClAxcx1LIT8JkeHiDGVC6BnDeQINnLR0G
> O7P+xyoYoCmJdJPNtFkaZiEhUBmd/TAM+Q39ImVXQmvpK7gpYpMgLJ+iCnVj
> GvsKi67ntKN4dETFdldZ0mIWp6To/iORZ7Cnz0Lw3fngDJHXPyzctJV2djtf
> ET1YeobvM95yniS3qKdT+sbmZs4jfZA75mOuTJXDP1nYEnO01Dchw+HE2UQN
> LiK0bKkFXpCf+lPRfAqff6RW5MWwgEsG16Sy5xNk9pRhNw5FWrw9vknvQmpA
> 4feH2fcrq7Y8ePIDcsmDN31vYrNl2xMF3Qf0294V4EMdUWCSsbIQlHnFvzQL
> hcpBNh1rTwsBi38qBgChYIi75B7VLnWm90tnpvaVJBNydHykHZOXxYzlz4+O
> VY8nCX5+H8VPHNdrCLnFjov+g6tMhIk/gDNMyNjaXqn8Yp9WpdXI2nfjakUv
> 9NvW1Kw96geE07yuK0wCmsib6xf+zcN3ZZTwGiYo1L1/obg0LslrxY9MELF9
> kuKP
> =yYN+
> -----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zetalliance.org/pipermail/devel_lists.zetalliance.org/attachments/20160607/4202d2e4/attachment.html>


More information about the Devel mailing list