Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://mk.absturztau.be/notes/9x5h7yez3ofi0094">niconiconi (niconiconi@mk.absturztau.be)'s status on Tuesday, 20-Aug-2024 19:34:16 JST</a><a href="https://mk.absturztau.be/@niconiconi" title="niconiconi@mk.absturztau.be"><img src="https://gnusocial.jp/theme/gnusocialjp/default-avatar-stream.png" width="48" height="48" alt="niconiconi" style="position: absolute; left: 0; top: 0;">niconiconi</a><div><ul><li></ul></div></section><article><p>When I was installing my first mail server years ago, I saw mbox and thought, "Seriously? Who still uses this ancient format from the original Unix..." and changed that to Maildir without thinking. When reviewing old news today, TIL I unconsciously hardened my server from that infamous 2020 OpenSMTPD root exploit. :blobcatlul: Turned out the ancient mbox format also made it difficult to drop privileges... Also, <a href="https://queer.hacktivis.me/users/lanodan">@lanodan@queer.hacktivis.me</a>, hi. <a href="https://poolp.org/posts/2020-01-30/opensmtpd-advisory-dissected/">https://poolp.org/posts/2020-01-30/opensmtpd-advisory-dissected/</a></p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/3543270#notice-6956602">In conversation</a><time datetime="2024-08-20T19:34:16+09:00" title="Tuesday, 20-Aug-2024 19:34:16 JST">about 3 months ago</time> <span>from <span><a href="https://mk.absturztau.be/notes/9x5h7yez3ofi0094" rel="external" title="Sent from mk.absturztau.be via ActivityPub">mk.absturztau.be</a></span></span><a href="https://mk.absturztau.be/notes/9x5h7yez3ofi0094">permalink</a><h4>Attachments</h4><ol><li><label><a rel="external" href="https://gnusocial.jp/attachment/3062702">@poolpOrgpoolpOrg wrote:&gt; Users can avoid dangerous code by not using action mbox, is that correct?In a vulnerable OpenSMTPD, only maildir is safe.On a fix OpenSMTPD, yes you are right: only action mbox is dangerous.I'm working with other OpenBSD hackers on lifting the requirement for privileges in mail.local so that OpenSMTPD can consider it similar to any other delivery method and it will no longer be dangerous.</a></label><br><a href="https://misskey-taube.s3.eu-central-1.wasabisys.com/files/20617ed8-bf67-4124-b967-d323bfd57792.webp" rel="external">https://misskey-taube.s3.eu-central-1.wasabisys.com/files/20617ed8-bf67-4124-b967-d323bfd57792.webp</a></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/3062703">@lanodanlanodan wrote:Hi, maybe for the Linux side of things it could use capabilities(7) and/or something like AppArmor+SELinux? capabilities would allow to drop all SuperUser privileges and only keep the ones needed. AppArmor/SELinux would allow to also restrict capabilities and their actions further.</a></label><br><a href="https://misskey-taube.s3.eu-central-1.wasabisys.com/files/defc51ce-fab8-43f3-893a-615e7f8155c2.webp" rel="external">https://misskey-taube.s3.eu-central-1.wasabisys.com/files/defc51ce-fab8-43f3-893a-615e7f8155c2.webp</a></li><li><article><header><div>Domain not in remote thumbnail source whitelist: poolp.org</div><h5><a href="https://poolp.org/posts/2020-01-30/opensmtpd-advisory-dissected/">OpenSMTPD advisory dissected</a></h5><div></div></header><div>TL;DR: - Qualys released an advisory for a bad, bad vulnerability - an MTA is a very bad software to have a vulnerability in - hole was plugged but that's not enough, similar bugs should be mitigated in the future - article discusses what could have prevented escalation despite the bug What happened ?</div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
niconiconi (niconiconi@mk.absturztau.be)'s status on Tuesday, 20-Aug-2024 19:34:16 JSTniconiconi
- Haelwenn /элвэн/ :triskell:
When I was installing my first mail server years ago, I saw mbox and thought, "Seriously? Who still uses this ancient format from the original Unix..." and changed that to Maildir without thinking. When reviewing old news today, TIL I unconsciously hardened my server from that infamous 2020 OpenSMTPD root exploit. :blobcatlul: Turned out the ancient mbox format also made it difficult to drop privileges... Also, @lanodan@queer.hacktivis.me, hi. https://poolp.org/posts/2020-01-30/opensmtpd-advisory-dissected/
In conversationabout 3 months ago from mk.absturztau.bepermalink
Attachments
1. @poolpOrgpoolpOrg wrote: > Users can avoid dangerous code by not using action mbox, is that correct? In a vulnerable OpenSMTPD, only maildir is safe. On a fix OpenSMTPD, yes you are right: only action mbox is dangerous. I'm working with other OpenBSD hackers on lifting the requirement for privileges in mail.local so that OpenSMTPD can consider it similar to any other delivery method and it will no longer be dangerous.
  https://misskey-taube.s3.eu-central-1.wasabisys.com/files/20617ed8-bf67-4124-b967-d323bfd57792.webp
2. @lanodanlanodan wrote: Hi, maybe for the Linux side of things it could use capabilities(7) and/or something like AppArmor+SELinux? capabilities would allow to drop all SuperUser privileges and only keep the ones needed. AppArmor/SELinux would allow to also restrict capabilities and their actions further.
  https://misskey-taube.s3.eu-central-1.wasabisys.com/files/defc51ce-fab8-43f3-893a-615e7f8155c2.webp
3. Domain not in remote thumbnail source whitelist: poolp.org
  OpenSMTPD advisory dissected
  TL;DR: - Qualys released an advisory for a bad, bad vulnerability - an MTA is a very bad software to have a vulnerability in - hole was plugged but that's not enough, similar bugs should be mitigated in the future - article discusses what could have prevented escalation despite the bug What happened ?

Public

Embed Notice

HTML Code

Corresponding Notice