Postfix SASL AUTH Reuse Memory Corruption

May 20, 2011

Postfix is a mail server for Unix-like platforms commonly used as a replacement for Sendmail. The SMTP protocol defines a set of commands that are used to deliver email messages between connected systems. The full SMTP protocol specification is outlined in RFC 821. SMTP commands are composed of ASCII text terminated by the newline sequence. In a standard SMTP session, an exchange ensues to ensure that the client is communicating with the correct host. Each SMTP session begins with the Server sending a 220 ready reply to the client. The client then sends a HELO command to which the server responds with a 250 OK. In configurations where a client must authenticate to the SMTP server, the "AUTH" SMTP command must be sent to the server. The client must then specify the type of authentication method with the "AUTH" command. An SMTP session is terminated by sending a QUIT command by the client. The format of the AUTH command is as follows:


Where AUTH is the first word on a new line, is one space character (0x20) and is the end of line character sequence.
Simple Authentication and Security Layer (SASL), is a framework providing authentication and data security services in connection-oriented protocols via replaceable mechanisms. The Postfix server can use several SASL implementations such as Cyrus and Dovecot. Some supported authentication methods are listed:


When SASL authentication is enabled, the Postfix server creates a SASL handle for each SMTP session and keeps using it until the SMTP connection is closed. The Cyrus SASL server handle is not supposed to be reused if the client authentication fails. The server should create a new Cyrus SASL handle for every client authentication request. Only if the client and the server decide to switch from a plaintext session to an encrypted session is a new SASL handle created by Postfix for the same SMTP session.

A memory corruption vulnerability exists in Postfix SMTP server which uses the Cyrus SASL library. The vulnerability is due to the Postfix server failing to create a new SASL handle after a client authentication failure using certain authentication methods.
Each Cyrus SASL authentication mechanism comprises of session data structures which contain data and pointers to functions that implement the mechanism and the authentication states.
When an initialized authentication session is aborted by the client and a new authentication request is subsequently sent, Postfix fails to create a new SASL handle for the new request. As such, it will reuse the session context data structures that were allocated for the previous authentication session. This can lead to heap memory corruption.
A remote attacker could exploit this vulnerability by sending an AUTH command using a SASL authentication method, aborting it and subsequently sending another AUTH command. Successful exploitation will result in memory corruption. Execution of arbitrary code within the context of the process may also be possible.

This vulnerability has been assigned the identifier CVE-2011-1720 by mitre. SonicWall has released an IPS signature that addresses this issue. The following signature has been released:

  • 6619 - Postfix SASL AUTH Handle Reuse Memory Corruption