[BlueOnyx:07038] spamass-milter Security Advisory

Michael Stauber mstauber at blueonyx.it
Thu Apr 14 17:34:07 -05 2011 

spamass-milter - Security Advisory
=========================

On the 11th April 2011 on 23:49 CEST I was informed by Christoph Schneeberger 
(http://tisnet.ch) that he had found a remotely exploitable bug in the 
spamass-milter-0.3.1-21 RPM that was part of the Solarspeed.net AV-SPAM v5 
(for BlueOnyx and BlueQuartz). 

Other vendors AntiSpam solutions were also affected, but I leave that to them 
to handle their anouncements.

After confirming that this was indeed a case, fixed spamass-milter-0.3.1-30 
RPMs were released to the BlueOnyx and BlueQuartz YUM repositories of the AV-
SPAM v5. This happened on 12th April 2011, 03:21 CEST.

Christoph Schneeberger and I then decided to withhold the release of the 
security anouncement for three days to make sure that as many affected 
customers as possible had the chance to fetch the fixed spamass-
milter-0.3.1-30 through YUM.

Unfortunately this problem made quite a few servers vulnerable and some of 
them have been compromised in the time between the release of the faulty 
spamass-milter-0.3.1-21 and before the release of the fixed spamass-
milter-0.3.1-30 RPM.

I apologize for any problems that this may have caused. If your server is 
compromised, or if you suspect that it has been compromised please contact 
Solarspeed.net (https://www.solarspeed.net/contact-form.php) to receive free 
help on that issue.

To test if you have the new (and safe) spamass-milter-0.3.1-30 installed, 
please run this command as "root" on your command line:

rpm -q spamass-milter

It will report if spamass-milter is installed and which version it has. As 
said: 0.3.1-30 is safe.

If you still have spamass-milter-0.3.1-21 installed, please run "yum update" 
as soon as possible - or follow the guidelines listed in the advisory below.


The full security advisory:
==================

spamass-milter Security Advisory
--------------------------------
The package spamass-milter is part of Solarspeed and other Vendors AntiSpam 
solution. This package has a remote exploitable bug when used with address 
expansion which can lead to an attacker executing commands within the account 
of the user spamass-milter runs under. As this is root in BlueOnyx, this bug 
can lead to root access for a remote attacker. Root access is necessary to 
expand all aliases etc. fully.

Affected versions:
------------------
* spamass-milter-0.3.1 and probably all earlier versions (untested)

The following RPM versions have been found vulnerable so far:
* spamass-milter-0.3.1-21.centos5
* spamass-milter-0.3.1-1
* all versions <= 0.3.1

So far all installations of spamass-milter (except spamass-
milter-0.3.1-30.centos5) have been found vulnerable


Description:
------------
Bug in spamass-milter package allows remote code injection/execution as root.
Bugtraq ID: 38578
CVE: CVE-2010-1132 
CVE-Link: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1132


Example Exploit / Proof of concept:
-----------------------------------
telnet localhost 25
helo me.too
250 ...
mail from: badb0y at evilz.org
250 2.1.0 ...
rcpt to: root+:"|echo 'you are haxored'> /tmp/evilfile"


Risk / Impact:
--------------
The associated risk of this vulnerability is HIGH, and the attack is in the 
wild and used for attacks extensively. Intrusions have been reported back from 
the start of February 2011 using this exploit.


Vendor Status:
--------------
Solarspeed has been notified on April 11th and has acknowledged the
problem within 1 hour. Solarspeed has issued a fix a few hours after receiving 
our initial report. This advisory will be held back until the fix could be 
pushed to most customers.


Vendor Fix:
-----------
Released to the repositories on: April 12th 2011


Workaround:
-----------
Until your vendor releases a fix you can stop the above exploit from
working by changing the following to files accordingly:

/etc/sysconfig/spamass-milter:
change the line:
EXTRA_FLAGS="-x -r 10 -u mailnull -- -U /var/run/spamd.sock -s 200000 -i
127.0.0.1 "
to:
EXTRA_FLAGS="-r 10 -u mailnull -- -U /var/run/spamd.sock -s 200000 -i
127.0.0.1 "
and change:
USER_FLAGS="-x -u mailnull"
to:
USER_FLAGS="-u mailnull"


/etc/rc.d/init.d/spamass-milter:
change the line:
EXTRA_FLAGS="-x -r 10 -u mailnull -i 127.0.0.1 -- -U /var/run/spamd.sock
-s 200000"
to:
EXTRA_FLAGS="-r 10 -u mailnull -i 127.0.0.1 -- -U /var/run/spamd.sock -s
200000"

This can lead to the wrong Antispam user settings getting applied to an 
incoming mail after expanding all aliases. Depending on your setup this might 
be an acceptable drawback comparing to the remote root exploit you can 
mitigate with it. Thanks to Michael Stauber for outlining possible drawbacks 
when removing -x.

Possible Impact:
----------------
Postmortem Analysis of all BlueOnyx boxes that have been exploited in this 
way, have shown the following properties after successfull attack (which 
suggests a single attacker has been working his way through BlueOnyx 
installations):
- the maillog of the day of compromise is removed to hide the way the attacker 
got in

- the following files get normally replaced/added:
/usr/bin/ssh
/usr/sbin/sshd
/lib/initr
/lib/security/sh2
/lib/security/sshd
/lib/security/sh1
/lib/security/ssh
/etc/sysconfig/spamass-milter
/etc/rc.d/init.d/spamass-milter
/etc/ssh/ssh_config

Both ssh and sshd are backdoored versions that log all passwords used by users 
connecting FROM and TO the compromised host to /lib/initr

All files in /lib/security are backups of replaced files. You should be able 
to find all replaced/changed files by searching for files changed within 
+-3min of the attack. 

The ssh_config gets updated so that it works with the backdoored ssh client.

-x is removed from spamass-milter args so that the installation is safe from 
further exploiting through the same bug.

- It seems the attack evolved little over time, so the picture you face on a 
compromised host might be slightly different. I.e. not all compromises have 
had the changed attributes on ssh and sshd.

References:
-----------
http://www.securityfocus.com/bid/38578
http://archives.neohapsis.com/archives/fulldisclosure/2010-03/0139.html
http://www.gossamer-threads.com/lists/spamassassin/users/160195
http://www.gossamer-threads.com/lists/spamassassin/users/160211

Credits:
--------
A lot of people have been very helpful in the process of creating this
advisory, special thanks go to:
- Stephanie Sullivan
- Peter P.M.
- Michael Aronoff
- Ap.Muthu
- Gerald Waugh
- Michael Stauber


Author:
-------
Christoph Schneeberger on behalf of tisnet hosting services [http://tisnet.ch]
Created: April 12th 2011
Last mod: April 14th 2011

EOF 
-------------------------------------------------------------------------------------------

Allow me some closing comments:
========================

As you can imagine, this is quite a source of embarassment and a serious case 
of "egg on my face".

After releasing the fixed spamass-milter-0.3.1-30 I went back and examined 
what had gone wrong and why. After all, my "faulty" previous version of 
spamass-milter had specifically been built to close the issues outlined in 
CVE-2010-1132.

However, the sources that I used for that purpose were at first Debian based 
and caused issues with SMTP-Authentication. Emails sent by SMTP-Auth'ed users 
was scanned as well, which is quite undesired.

I then used the Fedora Core 12 modified spamass-milter with their security 
patches and merged in the changes needed for the AV-SPAM specific spamass-
milter configuration. However, in the process of mixing and merging code, some 
of the sources and patches got mixed up and the protecting against 
CVE-2010-1132 went missing. Which I didn't notice until it was prominently 
pointed out <sigh>.

My humble apologies to everyone that was affected. :o(

-- 
With best regards

Michael Stauber
www.solarspeed.net

More information about the Blueonyx mailing list