Re: shellshock via SMTP?
>> 2014-10-29 16:26, Joe Acquisto-j4 wrote: >> > Comments on the ZD net article that claims shellshock exploit via >> > crafty SMTP headers? Just asking, that's all . . . >> > >> > I attached a link to it below, please excuse if that is improper >> > behavior. >> > http://www.zdnet.com/shellshock-attacks-mail-servers-735094/ >> >> I have seen one such sample. Must be a really dumb mail delivery agent >> or a content filter or a MUA that lets a mail header touch a shell. >> >> No matter whether bash is patched or not, tainted data from a mail >> message must never be handed over to shell. Hi, suppose your mail system does everything fine, there may still be final delivery, where procmail, sieve, .qmail files jump in. There might be some program delivery, such as a mailing list manager that handles mail to unsubscribe-xxx@ or a local service that accepts mail to fax@localhost with the fax number in the subject field. In such situations, the delivery stage of tthe mailer may only make a decision (and let the called process parse the message again) or it may place smtp header data into variables for the benefit of the called process. Now let the end user put in a shell script to solve a particular need... Regards Wolfgang >> >>Mark
Re: shellshock via SMTP?
On Oct 29, 2014, at 16:54, Mark Martinec wrote: > 2014-10-29 16:26, Joe Acquisto-j4 wrote: >> Comments on the ZD net article that claims shellshock exploit via >> crafty SMTP headers? Just asking, that's all . . . >> I attached a link to it below, please excuse if that is improper behavior. >> http://www.zdnet.com/shellshock-attacks-mail-servers-735094/ > > I have seen one such sample. Must be a really dumb mail delivery agent > or a content filter or a MUA that lets a mail header touch a shell. > > No matter whether bash is patched or not, tainted data from a mail > message must never be handed over to shell. > > Mark In the wikipedia article on shellshock qmail is mentioned. See also http://www.gossamer-threads.com/lists/qmail/users/138578 /rolf
Re: shellshock via SMTP?
Le 29/10/2014 16:54, Mark Martinec a écrit : 2014-10-29 16:26, Joe Acquisto-j4 wrote: Comments on the ZD net article that claims shellshock exploit via crafty SMTP headers? Just asking, that's all . . . I attached a link to it below, please excuse if that is improper behavior. http://www.zdnet.com/shellshock-attacks-mail-servers-735094/ I have seen one such sample. Must be a really dumb mail delivery agent or a content filter or a MUA that lets a mail header touch a shell. Even my low-volume server has seen a few attempts, though the sending bots didn't follow proper SMTP protocol and were duly rejected by postscreen (not that they would have gotten anywhere near a shell anyway of course!). Curiously most appeared to be proof-of-concept testing rather than a true attack, as they were attempting to call /usr/bin/id -- John
Re: shellshock via SMTP?
2014-10-29 16:26, Joe Acquisto-j4 wrote: Comments on the ZD net article that claims shellshock exploit via crafty SMTP headers? Just asking, that's all . . . I attached a link to it below, please excuse if that is improper behavior. http://www.zdnet.com/shellshock-attacks-mail-servers-735094/ I have seen one such sample. Must be a really dumb mail delivery agent or a content filter or a MUA that lets a mail header touch a shell. No matter whether bash is patched or not, tainted data from a mail message must never be handed over to shell. Mark
Re: shellshock via SMTP?
On Wed, 29 Oct 2014, Joe Acquisto-j4 wrote: Comments on the ZD net article that claims shellshock exploit via crafty SMTP headers? Just asking, that's all . . . I attached a link to it below, please excuse if that is improper behavior. http://www.zdnet.com/shellshock-attacks-mail-servers-735094/ There is at least one going around. http://www.exploit-db.com/exploits/34896/ I've put what I hope are mitigations in my sample milter-regex.conf but I haven't actually tested them. http://www.impsec.org/~jhardin/antispam/ -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...the Fates notice those who buy chainsaws... -- www.darwinawards.com --- 2 days until Halloween