fwp1@CC.MsState.Edu (Frank Peters) (06/20/91)
A user just noticed that he can put any from address into the From: header of a file and pipe it to /usr/lib/sendmail and have that address appear in the From field of the delivered message. The unix From header has the correct address (if it is present). I realize how easy it is to spoof via smtp. But I would have thought this case would be coverend under the sendmail.cf trusted user declarations. This is the sendmail as shipped with SunOS 4.1.1. Is there some way to prevent this? Frank -- Frank Peters Internet: fwp1@CC.MsState.Edu Bitnet: FWP1@MsState Phone: (601)325-2942 FAX: (601)325-8921
jiro@shaman.com (Jiro Nakamura) (06/20/91)
In article <FWP1.91Jun19183837@Jester.CC.MsState.Edu> fwp1@CC.MsState.Edu (Frank Peters) writes: > A user just noticed that he can put any from address into the From: > header of a file and pipe it to /usr/lib/sendmail and have that address > appear in the From field of the delivered message. The unix From header > has the correct address (if it is present). > > I realize how easy it is to spoof via smtp. But I would have thought this > case would be coverend under the sendmail.cf trusted user declarations. > > This is the sendmail as shipped with SunOS 4.1.1. Is there some way to > prevent this? > I noticed that the sendmail as shipped out by NeXT also has this "feature." Great security hazard. I see now why Cornell now warns people to not believe any e-mail from root asking folk to change their passwords to certain words..... - Jiro Nakamura jiro@shaman.com -- Jiro Nakamura jiro@shaman.com Shaman Consulting +1 607 277-1440 Voice/Fax/Data "Bring your dead, dying shamans here!"
rickert@mp.cs.niu.edu (Neil Rickert) (06/20/91)
In article <FWP1.91Jun19183837@Jester.CC.MsState.Edu> fwp1@CC.MsState.Edu (Frank Peters) writes: >A user just noticed that he can put any from address into the From: >header of a file and pipe it to /usr/lib/sendmail and have that address >appear in the From field of the delivered message. The unix From header >has the correct address (if it is present). What is the big deal? This is supposed to be part of the design. The intention (if you look at RFC822) is that the 'From:' header is supposed to reflect the author of the message. The SMTP envelope address, or in its absence, the 'Sender:' header, are supposed to reflect the identity of the person who transmitted the message. What is the difference between this and ordinary paper mail. There you can put any address you like, but the post office postmark will reflect where it was really sent from. One perfectly reasonable use might be that you are moving to a new address, so you put your new email address on the 'From:' header, while the Unix 'From ' line contains the SMTP address reflecting where the message really originated. -- =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= Neil W. Rickert, Computer Science <rickert@cs.niu.edu> Northern Illinois Univ. DeKalb, IL 60115 +1-815-753-6940
barnett@grymoire.crd.ge.com (Bruce Barnett) (06/21/91)
In article <1991Jun20.022606.1680@shaman.com> jiro@shaman.com (Jiro Nakamura) writes: > In article <FWP1.91Jun19183837@Jester.CC.MsState.Edu> fwp1@CC.MsState.Edu > (Frank Peters) writes: >> I realize how easy it is to spoof via smtp. But I would have thought this >> case would be coverend under the sendmail.cf trusted user declarations. > Great security hazard. It is true the SunOS sendmail has this bug (allowing anyone to be trusted). We use this bug to work aroung another bug when sending mail inside GNU emacs. But since it doesn't *add* any additial security hazard, it's not that much of a problem - security wise. -- Bruce G. Barnett barnett@crdgw1.ge.com uunet!crdgw1!barnett
lear@turbo.bio.net (Eliot) (06/22/91)
SMTP/Sendmail has never guaranteed even the simplest level of authentication. If you want that, use privacy enhanced mail. -- Eliot Lear [lear@turbo.bio.net]
per@erix.ericsson.se (Per Hedeland) (06/30/91)
In article <BARNETT.91Jun21093917@grymoire.crd.ge.com> barnett@grymoire.crd.ge.com (Bruce Barnett) writes: >It is true the SunOS sendmail has this bug (allowing anyone to be >trusted). We use this bug to work aroung another bug when sending >mail inside GNU emacs. Well, SunOS sendmail does have the bug that anyone is "trusted", but only if you use the OR option - and I wouldn't say it's the most serious bug that OR brings along, the one with mail inside GNU emacs is another of them... But anyway, that's not relevant to allowing users to set the From: address, which I believe most sendmails do (I'm sure Neil Rickert has pointed this out already:-), "trusted" users are those who are allowed to set the *envelope* sender, i.e. what is seen at the recipient end as From_ or Return-Path:. --Per Hedeland per@erix.ericsson.se or per%erix.ericsson.se@sunic.sunet.se or ...uunet!erix.ericsson.se!per