COMMAND

    postifx/procmail/cyrus

SYSTEMS AFFECTED

    postfix

PROBLEM

    John Pettitt found following.   There are a number of  hacks about
    that  allow  postfix  to  deliver  to  cyrus  imap  mailboxes  via
    procmail.  It turns out that at  least one of these has a hole  in
    it that allows bad guy to run code as the cyrus user.

    Prerequisites:

    1) procmail  installead as  mailbox_transport under  postfix (this
       is a hack to get procmail to run under the cyrus user id).   If
       procmail is run  as mailbox_command there  does not seem  to be
       an issue and postfix nukes all the shell stuff before  procmail
       gets called.

    2) an /etc/procmailrc that looks like this (or similar - the  main
       feature being to trust the userdata - in this case $1)

        # some reasonable defaults
        SHELL=/bin/sh
        DELIVER="/usr/cyrus/bin/deliver -a $1"
        MAILTO=$1
        MAILBOX=$2

        # this enables automated procmail recipe creation for users;
        # roll your own tool to allow creation of procmail recipes on a per-user
        # basis and place them there, but don't let users edit their own recipes
        INCLUDERC=/etc/procmailrcs/$1

        # make sure EXITCODE is clear: then it will take the value of the TRAP return
        EXITCODE=""

        TRAP="/usr/cyrus/bin/deliver -m $2 -- $1"

        # Procmail voodoo. The TRAP handles the mail delivery. We have to
        # prevent procmail from attempting a second delivery.
        #
        # in one line, kill procmail:
        HOST=

    When procmail  processes the  INCLUDERC and  TRAP lines  backquote
    expansion    happens.       Sending     a    message        `shell
    commands`@myhost.com will cause the commands to run under whatever
    ID procmail happens to be running as (typically cyrus).

    Also if mail  is sent to  baduser procmail will  disclose the path
    to it's include dir in the reply.     Mail can then be set to  say
    ../passwd which  will case  procmail to  read passwd  as a recipie
    file and barf it's contests as an error response.

SOLUTION

    All of the above can be plugged by adding:

        :0
        *$ ! $MAILTO ?? .*[A-ZA-z0-9\-_]?
        /tmp/bad
        #or /dev/null according to taste

    before the INCLUDERC line in /etc/procmailrc.

    Please review

        ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html

    which discusses rule sets which can santize mail for clients which
    use Windows.