Headline
CVE-2020-12063: security - spoofing of local email sender via a homoglyph attack
** DISPUTED ** A certain Postfix 2.10.1-7 package could allow an attacker to send an email from an arbitrary-looking sender via a homoglyph attack, as demonstrated by the similarity of \xce\xbf to the ‘o’ character. This is potentially relevant when the /etc/postfix/sender_login feature is used, because a spoofed outbound message that uses a configured sender address is blocked with a “Sender address rejected: not logged in” error message, but a spoofed outbound message that uses a homoglyph of a configured sender address is not blocked. NOTE: some third parties argue that any missed blocking of spoofed outbound messages - except for exact matches to a sender address in the /etc/postfix/sender_login file - is outside the design goals of Postfix and thus cannot be considered a Postfix vulnerability.
- Products
- Openwall GNU/*/Linux server OS
- Linux Kernel Runtime Guard
- John the Ripper password cracker
- Free & Open Source for any platform
- in the cloud
- Pro for Linux
- Pro for macOS
- Wordlists for password cracking
- passwdqc policy enforcement
- Free & Open Source for Unix
- Pro for Windows (Active Directory)
- yescrypt KDF & password hashing
- yespower Proof-of-Work (PoW)
- crypt_blowfish password hashing
- phpass ditto in PHP
- tcb better password shadowing
- Pluggable Authentication Modules
- scanlogd port scan detector
- popa3d tiny POP3 daemon
- blists web interface to mailing lists
- msulogin single user mode login
- php_mt_seed mt_rand() cracker
- Services
- Publications
- Articles
- Presentations
- Resources
- Mailing lists
- Community wiki
- Source code repositories (GitHub)
- Source code repositories (CVSweb)
- File archive & mirrors
- How to verify digital signatures
- OVE IDs
- What’s new
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 23 Apr 2020 15:10:55 +0300 From: PromiseLabs Pentest Research <pentest@…miselabs.net> To: oss-security@…ts.openwall.com Subject: spoofing of local email sender via a homoglyph attack
Hi,
The provided versions seem to be wrong on this request, sorry for this.
The exact version is from the postfix-2.10.1-7.el7.x86_64 package, thus the version stated in the CVE should be 2.10.1.
PLPR: Plamen Dimitrov Penetration Tester, CEH & OSCP certified
Promise Solutions LTD Penetration Testing and Managed Security services
https://www.promisedev.com https://www.promiselabs.net +359 883 22 05 12
On 2020-04-22 18:20, cve-request@…re.org wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
The CVE ID is below. As far as we know, 3.3.0-1 is not a commonly used version. Please see the "[Reference]" section below.
[Suggested description] A certain Postfix 3.3.0-1 package could allow an attacker to send an email from an arbitrary-looking sender via a homoglyph attack, as demonstrated by the similarity of \xce\xbf to the ‘o’ character.
[Additional Information] Postfix allows an email from unsanitized input, pretending to be from an existing user on the mail system, which may look exactly the same. For example, it is possible sending an email using the hex character \xce\ xbf, which looks exactly like the letter 'o’. In case the user john.doe exists on the mail server, postfix would not allow to send an email from this email account unless an unauthorized attempt is made. However, in case we substitute the letter ‘o’ with the hex character \xce\xbf, it will look exactly like it’s being sent from john.doe, although john.doe (j<\xce\xbf)hn.doe) is actually different from the other.
[Vulnerability Type] Incorrect Access Control
[Vendor of Product] postfix
[Affected Product Code Base] postfix 3.3.0-1 - 3.3.0-1
[Affected Component] postfix mail server
[Attack Type] Remote
[Discoverer] d7x, Promise Solutions LTD / www.promiselabs.net [1]
[Reference] https://www.promiselabs.net https://repology.org/project/postfix/versions http://www.postfix.org/announcements.html
Use CVE-2020-12063.
CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIcBAEBCAAGBQJeoGCRAAoJEPNX0OmQPkAIyDAQAI56GXHXS1AJQVx2nBBJosam 6d/mtkM+LozhzpBVydzed58z8P/Q/qGWXzdT0mmIvq+X2WQp7pvCrUH7l9wkniH+ 0FD0c+LO2T/oU7a6sqZ7EHC0V3GPKu/F1W+reNB9V0v8LyAfHLE50AdvHZZjGIHc lUvw/hqt+7NqpR2HFyjyA3sb1K8ZiqBcmxwV9ecECUx/smXFpjtdV9hTz7A9mgj8 ggkSjrkMQBsYqiU2OvPEfn4aKskavqTYLqVMxztieICoDPvNAGj+lnZIz4o6WIig d2lqtZ+/8fPVUaYGCikacMNAE4BGs61BQT7tuYdbMt8+wWnB+IU84hBC7Lb7OE8L 7O59MmmIF/C/jaaSmwy+FlSk+ZE95Q+SV7CHoYMLeongByo5drvqVuK79t5KVGDO L6m85ta3Jh/zzQ6srg6REgPuM1Q2cFwu7FmWg4vAEamCwHnjv6D6xRBRO4lBm9V1 Upek80hF+BI/JwvKlpng1pzKrClqvzGdeZA4kw5MLoiEN19cf2W85nO0L+cpoLbQ ixz/TarYDG9QQ89U3aJcrLDMH6hGsPKmTvD8dy5sVh+J3qK/zvj/eR98xy5jbKAn pt57X5qFkfu+Sf9yrC3RFBiNTJ/UB4vb0/25g8M4e+vUMb/kkNxbVVNoAg56Wl1M NLgC/CCd32QpiUFehvF2 =T4/w -----END PGP SIGNATURE-----
Links:
[1] http://www.promiselabs.net
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.