Bug 577401

Summary: CVE-2010-1132 spamass-milter: remote command execution
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: paul, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-26 23:36:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 577404, 577405    
Bug Blocks:    

Description Vincent Danen 2010-03-26 21:03:35 UTC 
A flaw in how the spamass-milter processed user-supplied input was reported [1].  If spamass-milter is run with the expand (-x) option, it calls popen() in a way that includes the attacker supplied recipient (RCPT TO).  For example:

$ nc localhost 25
220 ownthabox ESMTP Postfix (Ubuntu)
mail from: me at me.com
250 2.1.0 Ok
rcpt to: root+:"|touch /tmp/foo"
250 2.1.5 Ok

$ ls -la /tmp/foo
-rw-r--r-- 1 root root 0 2010-03-07 19:46 /tmp/foo

The report claims this can result in remote root code execution, however in Fedora spamass-milter is run with the privileges of the dedicated sa-milt user, reducing the scope and impact of this flaw.  As well, by default, spamass-milter does not run with the -x (expand) option, which is required to be able to exploit this flaw.

It does not look as though an upstream release has been made in many years, and the report does not provide a fix to the issue, although it does note the vulnerable popen() call.

This issue has been assigned CVE-2010-1132.

[1] http://lists.grok.org.uk/pipermail/full-disclosure/2010-March/073489.html
Comment 1 Paul Howarth 2010-03-26 23:14:12 UTC 
Is this not a duplicate of Bug #572117 ?
Comment 2 Vincent Danen 2010-03-26 23:36:57 UTC 
Oh good grief.  Yes, it absolutely is.  Sorry about that; I'll fix these bugs up.

*** This bug has been marked as a duplicate of bug 572117 ***