sa-exim Greylisting.pm vulnerability
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| sa-exim (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
Bug Description
Hello from SpamAssassin project,
For reference, check this discussion: https:/
Greylisting.pm module provided by sa-exim uses unsafe eval for config string.
Anyone capable of writing .cf files/rules can run perl code and commands even as root, if spamd/spamassassin is started as root.
Example SpamAssassin rule:
header GREYLIST eval:greylisting("( 'hacked' => `touch /tmp/hacked && echo 1`; 'dir' => '/var/spool/
Notice one of many ways to inject commands into eval
'hacked' => `touch /tmp/hacked && echo 1`;
This will create /tmp/hacked file immediately as the user which starts spamd or spamassassin command, and will not create any suspicious output or warnings to user.
These kinds of bugs are nasty, as people might have automatic downloads of external .cf files from third parties and never notice someone abusing things through this.
The bug is mitigated in SpamAssassin 3.4.3, which properly taints configuration strings, and results in Perl complaining and not loading Greylisting.pm at all.
I have attached a patch that maintains backwards compatibility and safely parses the config string, and of course allows the plugin to work with 3.4.3. :-)
CVE References
| Henrik Krohns (hegeli) wrote | #1 |
| Henrik Krohns (hegeli) wrote | #2 |
| Alex Murray (alexmurray) wrote | #3 |
| information type: | Private Security → Public Security |
| Ubuntu Foundations Team Bug Bot (crichton) wrote | #4 |
| tags: | added: patch |
| Changed in sa-exim (Ubuntu): | |
| status: | New → Confirmed |
Revised patch attached (previous missed untaint).
In case you use Debian sa-exim as upstream, I've also posted this to https:/