What is Hagrid ?

Hagrid as in, “keeper of keys” is a verifying OpenPGP keyserver, written in Rust, powered by Sequoia-PGP running on https://keys.openpgp.org/.

It was launched on 12 June 2019.

It is supposed to replace SKS key server.

Digging deeper

I wanted to take a closer look to find potential security flaws. A key feature potentially with lot of room for vulnerabilities was emali verification. Hagrid supports verifying user IDs with email verification by following a link sent to user’s email address.

Hagrid uses sendmail for mailing.

I also tested msmtp which can be used as sendmail replacement for Hagrid integration.

Vulnerability

Hagrid uses lettre mailing library.

By crafting email addresses like following, it was possible to make lettre inject arbitrary flags into final sendmail command.

-bi@example.com    (-bi: Initialize the alias database.)
-d0.1a@example.com (The option -d0.1 prints the version of sendmail and the options it was compiled with.)

strace dump from the server running injected sendmail flags:

28329 execve("/usr/sbin/sendmail", ["/usr/sbin/sendmail", "-i", "-f", "noreply@localhost", "-bi@example.com"], 0x7ffcc8ada608 /* 23 vars */ 
28329 sendto(3, "Nov  4 16:48:22 sendmail[28329]: user 1000 attempted to rebuild the alias map", 81, MSG_NOSIGNAL, NULL, 0) = 81

A simple fix was to use sendmail’s -- flag to treat argument only as an email address.

From man:

--  Stop processing command flags and use the rest of the arguments as addresses.

Disclosure, impact and remediation

I disaclosed it to both Hagrid and Lettre maintainrs who weree very fast in thwir response. (5 Nov. 2020)

Vincent applied the hotfix to Hagrid on the same day

Advisory from lettre within a week.

It was assigned CVE-2020-28247.