AMaViS virus scanner for Linux - root exploit

[mcdonc () IQGROUP COM (Chris McDonough)]

The AMaViS incoming-mail virus scanning utility (available 
at http://satan.oih.rwth-aachen.de/AMaViS/) for Linux has 
problems.

I tried to contact the maintainer of the package (Christian 
Bricart) on June 26, again several times over the course of 
the last month, but I have not received anything from him 
and the AMaViS website does not yet acknowledge the problem 
or provide a fix.  However, on Jun 30, co-contributors to 
the package (Juergen Quade and Mogens Kjaer) responded 
quickly with an acknowledgement of the problem and a few 
fixes.  Because the co-authors do not maintain the 
downloadable package, however, the latest downloadable 
version of AMaViS (0.2.0-pre4 and possibly earlier) still 
has a bug which allows remote users to send arbitrary 
commands as root to a Linux machine running the AMaViS 
scripts.

Exploit:

Send a message with a virus-infected file attachment.  Use 
something like "`/sbin/reboot`@dummy.com" as your reply-to 
address in your MUA when sending the message.  When the 
AMaViS box receives the message, it will go through its 
scripts, find the virus, construct an email message to send 
back to the sender of the virus-infected file... line 601+ 
in the "scanmails" script:

cat <<EOF| ${mail} -s "VIRUS IN YOUR MAIL TO $7" $2

                   V I R U S  A L E R T

  Our viruschecker found a VIRUS in your email to "$7".
           We stopped delivery of this email!

    Now it is on you to check your system for viruses

  For further information about this viruschecker see:
               http://aachalon.de/AMaViS/
        AMaViS - A Mail Virus Scanner, licenced GPL  
EOF

... the $2 expands to a shell command (e.g. "/sbin/reboot") 
which runs as root.

To solve it, Juergen Quade created the following diff 
file.  It represents the difference between his "secured" 
and "insecure" scanmails shell script file.  I solved it 
differently, using a procmail recipe, but this will work 
too:

--- scanmails.orig      Wed Jun 30 12:54:02 1999
+++ scanmails   Wed Jun 30 12:54:15 1999
@@ -122,6 +122,50 @@

 deliver=/usr/bin/procmail
 
+
############################################################
###
+# Chris McDonough informed us, that it is possible to 
execute #
+# programs by sending an email, wich contains a virus and 
has #
+# as return address something 
like:                           #
+#      
`/sbin/reboot`@softing.com                            #
+# 
or                                                          
#
+#      $(/sbin/reboot)
@softing.com                           #
+# The execution of the command (/sbin/reboot) is done by 
the  #
+# "mail" program. Therefore we parse the arguments in 
order   #
+# to substitute those characters to 
nothing                   #
+
#                                                           
  #
+# Wed Jun 30 11:47:55 MEST 
1999                               #
+
############################################################
###
+
+# substitute all "`","$(",")" to nothing
+receiver=${7//\`/}
+receiver=${receiver//\$\(/}
+receiver=${receiver//\)/}
+
+sender=${2//\`/}
+sender=${sender//\$\(/}
+sender=${sender//\)/}
+
+if [ "$sender" != "$2" -o "$receiver" != "$7" ] ; then
+       cat <<EOF | ${mail} -s "Intrusion???" ${mailto}
+
############################################################
###
+# Chris McDonough informed us, that it is possible to 
execute #
+# programs by sending an email, wich contains a virus and 
has #
+# as return address something 
like:                           #
+#      
\`/sbin/rebbot\`@softing.com                          #
+# 
or                                                          
#
+#      \$\(/sbin/rebbot\)
@softing.com                        #
+# The execution of the command (/sbin/rebbot) is done by 
the  #
+# "mail" program. Therefore we parse the arguments in 
order   #
+# to substitute those characters to 
nothing                   #
+
#                                                           
  #
+# Wed Jun 30 11:47:55 MEST 
1999                               #
+
############################################################
###
+       $7 or $2 is not a valid Email address
+       (changed to $receiver and $sender)!
+EOF
+fi
+#             
+
 ################################################
 #                main program                  #
 #               --------------                 #
@@ -171,8 +215,8 @@
 
 echo xxxxxxxxxxxxxxxxxx`date`xxxxxxxxxxxxxxxxxxxxxxx >
${tmpdir}/logfile
 echo ${scanscriptname} called $* >>${tmpdir}/logfile
-echo FROM: $2 >>/${tmpdir}/logfile
-echo TO: $7 >>/${tmpdir}/logfile
+echo FROM: $sender >>/${tmpdir}/logfile
+echo TO: $receiver >>/${tmpdir}/logfile
 
 ${metamail} -r -q -x -w ${tmpdir}/receivedmail > /dev/null 
2>&1
 
@@ -597,11 +641,11 @@
 
 ################### send a mail back to sender 
######################
 
-cat <<EOF| ${mail} -s "VIRUS IN YOUR MAIL TO $7" $2
+cat <<EOF| ${mail} -s "VIRUS IN YOUR MAIL TO $receiver" 
$sender
 
                    V I R U S  A L E R T
 
-  Our viruschecker found a VIRUS in your email to "$7".
+  Our viruschecker found a VIRUS in your email to 
"$receiver".
            We stopped delivery of this email!
 
     Now it is on you to check your system for 
viruses           
@@ -614,12 +658,12 @@
 
 ############### send a mail to the addressee 
########################
 
-cat <<EOF| ${mail} -s "VIRUS IN A MAIL FOR YOU FROM $2" $7
+cat <<EOF| ${mail} -s "VIRUS IN A MAIL FOR YOU FROM 
$sender" $receiver
 
                    V I R U S  A L E R T
 
   Our viruschecker found a VIRUS in a mail from 
-     "$2"
+     "$sender"
   to you.
   
   Delivery of the email was stopped!