[Users] checkhack-zimbra-preferences shell escape issues

Guy CARRÉ guycarre at free.fr
Tue Jun 7 15:35:56 CEST 2016 

Hello, 

as it seems that the script is very old, I would advice to upgrade it by using Bash best practises, even if it is KSH which is call. 
Command like : 
this command_1=`hostname -f` 
for example has to be changed into 
command_1=$(hostname -f) 
same thing with variable : 
VAR_1=bob 
should be used like this : 
${VAR_1} 
and some people use over quote technic too. 

Regards, 



___________________________________ 
/ \ 
/-------------------------------------\ 
| Guy CARRÉ | 
| ************* | 
| PostMaster - WikiMaster - SysAdmin | 
| | 
| "Free Your Mind. Think Open Source" | 
| april.org | 
| | 
|_____________________________________| 

----- Mail original -----

De: "Keith McDermott" <keithmcd at purdue.edu> 
À: "Barry De Graaff" <barrydg at zetalliance.org>, users at lists.zetalliance.org, devel at lists.zetalliance.org 
Envoyé: Mardi 7 Juin 2016 14:32:39 
Objet: Re: [Users] checkhack-zimbra-preferences shell escape issues 


Hi Barry, 
I can't remember if it was noted on Git or not, but this was written for ZCS6. We never had issues like this happen in our usage of the script for the past 5-6 years. There would be an odd thing very rarely that would cause key/pairs to get messed up, but it always created one file per user. 
Perhaps something's changed in some of the commands that are being ran since ZCS6? 
Files should be created such as: 
/tmp/zimbra-preferences-scores/2016-06-16/keithmcd 
-keith 


Keith McDermott
Messaging Systems Administrator
ITIS, ITaP
Purdue University

E-mail: keithmcd at purdue.edu Address:155 S. Grant Street
        West Lafayette, IN 47907
        
"The road to wisdom, well, it's plain and simple to express,
 Err and err and err again, but less and less and less."
 - Piet Hein 
On 6/7/16 00:49, Barry De Graaff wrote: 


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello All,

I looked into checkhack-zimbra-preferences, it seems like writing it took a lot of time, and
it is a great effort.

However, I was able to crash the script by adding a plain-text signature for a user (see attached).
The script would then try to create arbitrary files on the server file system. That does suggest
shell escaping is not being done properly by this script.

[root at myzimbra ~]#  /usr/local/sbin/checkhack-zimbra-preferences.sh
/tmp/zimbra-preferences-scores/2016-06-06/admin
/tmp/zimbra-preferences-scores/2016-06-06/if
/tmp/zimbra-preferences-scores/2016-06-06/zimbrapreffromaddress
/tmp/zimbra-preferences-scores/2016-06-06/zimbraprefidentityname
/tmp/zimbra-preferences-scores/2016-06-06/zimbraprefmailforwardingaddress:*|zimbraprefmaillocaldeliverydisabled:*|zimbraprefsavetosent:*|zimbrasignaturename:*|zimbraprefmailsignature:*|zimbraprefmailsignaturehtml:*|zimbraprefidentityname:*|zimbrapreffromdisplay:*|zimbrapreffromaddress:*|zimbraprefreplytodisplay:*|zimbraprefreplytoaddress:*)if
/usr/local/sbin/checkhack-zimbra-preferences.sh[420]: /tmp/zimbra-preferences-scores/2016-06-06/zimbraprefmailforwardingaddress:*|zimbraprefmaillocaldeliverydisabled:*|zimbraprefsavetosent:*|zimbrasignaturename:*|zimbraprefmailsignature:*|zimbraprefmailsignaturehtml:*|zimbraprefidentityname:*|zimbrapreffromdisplay:*|zimbrapreffromaddress:*|zimbraprefreplytodisplay:*|zimbraprefreplytoaddress:*)if: cannot create [File name too long]
/tmp/zimbra-preferences-scores/2016-06-06/zimbrasignaturename


[root at myzimbra ~]# ls --full-time /tmp/zimbra-preferences-scores/2016-06-06/
total 20
 - -rw-------. 1 root root 2 2016-06-06 21:19:12.137399697 +0200 admin
 - -rw-------. 1 root root 2 2016-06-06 21:19:12.145399735 +0200 if
 - -rw-------. 1 root root 2 2016-06-06 21:19:12.152399768 +0200 zimbrapreffromaddress
 - -rw-------. 1 root root 2 2016-06-06 21:19:12.162399815 +0200 zimbraprefidentityname
 - -rw-------. 1 root root 2 2016-06-06 21:19:12.172399863 +0200 zimbrasignaturename


Means, it tried to create a file with name:
/tmp/zimbra-preferences-scores/2016-06-06/zimbraprefmailforwardingaddress:*|zimbraprefmaillocaldeliverydisabled:*|zimbraprefsavetosent:*|zimbrasignaturename:*|zimbraprefmailsignature:*|zimbraprefmailsignaturehtml:*|zimbraprefidentityname:*|zimbrapreffromdisplay:*|zimbrapreffromaddress:*|zimbraprefreplytodisplay:*|zimbraprefreplytoaddress:*)if

This is potentially unsafe, I would require me to rewrite the script to make sure it escapes
all user input. Considering this is a script to prevent hackers and spammer from abusing
services, I do not think I can use it, as is.

See: https://github.com/Zimbra-Community/zimbra-tools/blob/master/checkhack-zimbra-preferences Kind regards,

Barry de Graaff
Zeta Alliance Founder www.zetalliance.org Skype: barrydegraaff.tk
Fingerprint: 9e0e165f06b365ee1e47683e20f37303c20703f8
-----BEGIN PGP SIGNATURE-----
Version: OpenPGP.js v2.3.0
Comment: http://openpgpjs.org wsFcBAEBCAAQBQJXVlI7CRAg83MDwgcD+AAA3sYP/39cS834bckQ6FPHnqeW
edqoURVfuVHqH4TbMIOTg0hkiBp1bKBvv30XF9ObxBUsK8+MhAuj0EeTMeYN
RGuHC3hRX7e9F1miogAVGEHjkfUws3JqZB9FuPquOtCEPsbgMaRlrHeSD62K
9JynIoOG65jdM7FEpJpnjB/iOAfClAxcx1LIT8JkeHiDGVC6BnDeQINnLR0G
O7P+xyoYoCmJdJPNtFkaZiEhUBmd/TAM+Q39ImVXQmvpK7gpYpMgLJ+iCnVj
GvsKi67ntKN4dETFdldZ0mIWp6To/iORZ7Cnz0Lw3fngDJHXPyzctJV2djtf
ET1YeobvM95yniS3qKdT+sbmZs4jfZA75mOuTJXDP1nYEnO01Dchw+HE2UQN
LiK0bKkFXpCf+lPRfAqff6RW5MWwgEsG16Sy5xNk9pRhNw5FWrw9vknvQmpA
4feH2fcrq7Y8ePIDcsmDN31vYrNl2xMF3Qf0294V4EMdUWCSsbIQlHnFvzQL
hcpBNh1rTwsBi38qBgChYIi75B7VLnWm90tnpvaVJBNydHykHZOXxYzlz4+O
VY8nCX5+H8VPHNdrCLnFjov+g6tMhIk/gDNMyNjaXqn8Yp9WpdXI2nfjakUv
9NvW1Kw96geE07yuK0wCmsib6xf+zcN3ZZTwGiYo1L1/obg0LslrxY9MELF9
kuKP
=yYN+
-----END PGP SIGNATURE----- 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zetalliance.org/pipermail/users_lists.zetalliance.org/attachments/20160607/d090fd72/attachment.html>

More information about the Users mailing list