Bug 577401 - CVE-2010-1132 spamass-milter: remote command execution
Summary: CVE-2010-1132 spamass-milter: remote command execution
Keywords:
Status: CLOSED DUPLICATE of bug 572117
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 577404 577405
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-03-26 21:03 UTC by Vincent Danen
Modified: 2019-09-29 12:35 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-03-26 23:36:57 UTC


Attachments (Terms of Use)

Description Vincent Danen 2010-03-26 21:03:35 UTC
A flaw in how the spamass-milter processed user-supplied input was reported [1].  If spamass-milter is run with the expand (-x) option, it calls popen() in a way that includes the attacker supplied recipient (RCPT TO).  For example:

$ nc localhost 25
220 ownthabox ESMTP Postfix (Ubuntu)
mail from: me at me.com
250 2.1.0 Ok
rcpt to: root+:"|touch /tmp/foo"
250 2.1.5 Ok

$ ls -la /tmp/foo
-rw-r--r-- 1 root root 0 2010-03-07 19:46 /tmp/foo

The report claims this can result in remote root code execution, however in Fedora spamass-milter is run with the privileges of the dedicated sa-milt user, reducing the scope and impact of this flaw.  As well, by default, spamass-milter does not run with the -x (expand) option, which is required to be able to exploit this flaw.

It does not look as though an upstream release has been made in many years, and the report does not provide a fix to the issue, although it does note the vulnerable popen() call.

This issue has been assigned CVE-2010-1132.

[1] http://lists.grok.org.uk/pipermail/full-disclosure/2010-March/073489.html

Comment 1 Paul Howarth 2010-03-26 23:14:12 UTC
Is this not a duplicate of Bug #572117 ?

Comment 2 Vincent Danen 2010-03-26 23:36:57 UTC
Oh good grief.  Yes, it absolutely is.  Sorry about that; I'll fix these bugs up.

*** This bug has been marked as a duplicate of bug 572117 ***


Note You need to log in before you can comment on or make changes to this bug.