Bugtraq mailing list archives
AMaViS virus scanner for Linux - root exploit
From: mcdonc () IQGROUP COM (Chris McDonough)
Date: Fri, 16 Jul 1999 16:00:43 -0000
The AMaViS incoming-mail virus scanning utility (available at http://satan.oih.rwth-aachen.de/AMaViS/) for Linux has problems. I tried to contact the maintainer of the package (Christian Bricart) on June 26, again several times over the course of the last month, but I have not received anything from him and the AMaViS website does not yet acknowledge the problem or provide a fix. However, on Jun 30, co-contributors to the package (Juergen Quade and Mogens Kjaer) responded quickly with an acknowledgement of the problem and a few fixes. Because the co-authors do not maintain the downloadable package, however, the latest downloadable version of AMaViS (0.2.0-pre4 and possibly earlier) still has a bug which allows remote users to send arbitrary commands as root to a Linux machine running the AMaViS scripts. Exploit: Send a message with a virus-infected file attachment. Use something like "`/sbin/reboot`@dummy.com" as your reply-to address in your MUA when sending the message. When the AMaViS box receives the message, it will go through its scripts, find the virus, construct an email message to send back to the sender of the virus-infected file... line 601+ in the "scanmails" script: cat <<EOF| ${mail} -s "VIRUS IN YOUR MAIL TO $7" $2 V I R U S A L E R T Our viruschecker found a VIRUS in your email to "$7". We stopped delivery of this email! Now it is on you to check your system for viruses For further information about this viruschecker see: http://aachalon.de/AMaViS/ AMaViS - A Mail Virus Scanner, licenced GPL EOF ... the $2 expands to a shell command (e.g. "/sbin/reboot") which runs as root. To solve it, Juergen Quade created the following diff file. It represents the difference between his "secured" and "insecure" scanmails shell script file. I solved it differently, using a procmail recipe, but this will work too: --- scanmails.orig Wed Jun 30 12:54:02 1999 +++ scanmails Wed Jun 30 12:54:15 1999 @@ -122,6 +122,50 @@ deliver=/usr/bin/procmail + ############################################################ ### +# Chris McDonough informed us, that it is possible to execute # +# programs by sending an email, wich contains a virus and has # +# as return address something like: # +# `/sbin/reboot`@softing.com # +# or # +# $(/sbin/reboot) @softing.com # +# The execution of the command (/sbin/reboot) is done by the # +# "mail" program. Therefore we parse the arguments in order # +# to substitute those characters to nothing # + # # +# Wed Jun 30 11:47:55 MEST 1999 # + ############################################################ ### + +# substitute all "`","$(",")" to nothing +receiver=${7//\`/} +receiver=${receiver//\$\(/} +receiver=${receiver//\)/} + +sender=${2//\`/} +sender=${sender//\$\(/} +sender=${sender//\)/} + +if [ "$sender" != "$2" -o "$receiver" != "$7" ] ; then + cat <<EOF | ${mail} -s "Intrusion???" ${mailto} + ############################################################ ### +# Chris McDonough informed us, that it is possible to execute # +# programs by sending an email, wich contains a virus and has # +# as return address something like: # +# \`/sbin/rebbot\`@softing.com # +# or # +# \$\(/sbin/rebbot\) @softing.com # +# The execution of the command (/sbin/rebbot) is done by the # +# "mail" program. Therefore we parse the arguments in order # +# to substitute those characters to nothing # + # # +# Wed Jun 30 11:47:55 MEST 1999 # + ############################################################ ### + $7 or $2 is not a valid Email address + (changed to $receiver and $sender)! +EOF +fi +# + ################################################ # main program # # -------------- # @@ -171,8 +215,8 @@ echo xxxxxxxxxxxxxxxxxx`date`xxxxxxxxxxxxxxxxxxxxxxx > ${tmpdir}/logfile echo ${scanscriptname} called $* >>${tmpdir}/logfile -echo FROM: $2 >>/${tmpdir}/logfile -echo TO: $7 >>/${tmpdir}/logfile +echo FROM: $sender >>/${tmpdir}/logfile +echo TO: $receiver >>/${tmpdir}/logfile ${metamail} -r -q -x -w ${tmpdir}/receivedmail > /dev/null 2>&1 @@ -597,11 +641,11 @@ ################### send a mail back to sender ###################### -cat <<EOF| ${mail} -s "VIRUS IN YOUR MAIL TO $7" $2 +cat <<EOF| ${mail} -s "VIRUS IN YOUR MAIL TO $receiver" $sender V I R U S A L E R T - Our viruschecker found a VIRUS in your email to "$7". + Our viruschecker found a VIRUS in your email to "$receiver". We stopped delivery of this email! Now it is on you to check your system for viruses @@ -614,12 +658,12 @@ ############### send a mail to the addressee ######################## -cat <<EOF| ${mail} -s "VIRUS IN A MAIL FOR YOU FROM $2" $7 +cat <<EOF| ${mail} -s "VIRUS IN A MAIL FOR YOU FROM $sender" $receiver V I R U S A L E R T Our viruschecker found a VIRUS in a mail from - "$2" + "$sender" to you. Delivery of the email was stopped!
Current thread:
- Re: ircd exploit in ircu based code (fwd) Andrea Cocito (Jul 14)
- linuxconf doesn't seem to deal correctly with /etc/pam.d/reboot Domingos Bruges (Jun 30)
- Re: linuxconf doesn't seem to deal correctly with /etc/pam.d/reboot Marcelo Roccasalva (Jul 21)
- Re: ircd exploit in ircu based code (fwd) Matt Hallacy (Jul 15)
- Re: ircd exploit in ircu based code (fwd) Andrea Cocito (Jul 16)
- Logic Error in Management Edition NetWare install script for Dr. Sololomon's Bayard G. Bell (Jul 16)
- AMaViS virus scanner for Linux - root exploit Chris McDonough (Jul 16)
- CERT Advisory CA-99.08 - cmsd Aleph One (Jul 16)
- Re: AMaViS virus scanner for Linux - root exploit Kurt Seifried (Jul 17)
- Re: AMaViS virus scanner for Linux - root exploit Ian Whalley (Jul 19)
- Swish-e Jean-Georges Estiot (Jul 17)
- Re: AMaViS virus scanner for Linux - root exploit Chris McDonough (Jul 18)
- Re: AMaViS virus scanner for Linux - root exploit Jim Hebert (Jul 19)
- tiger vulnerability Ellen L Mitchell (Jul 20)
- iplogger Ymas problem Salvatore Sanfilippo -antirez- (Jul 18)
- Re: AMaViS virus scanner for Linux - root exploit Christian Bricart (Jul 19)
- linuxconf doesn't seem to deal correctly with /etc/pam.d/reboot Domingos Bruges (Jun 30)