Re: <victim>server formmail.pl exploit in the wild

[Andrew Daviel <andrew () andrew triumf ca>]

On Fri, 12 Apr 2002, Chris Murley wrote:

> So, we wrote a wrapper that checks to see hom many emails the cgi is tring
> to send to, if it's more than 4, we stop the email from going out.

The attempts I saw in the last week were coming from all over; many 
unresolved (probably Far East) addresses. One guy on Earthlink was very 
persistant.

I saw some attempts trying to send to 30 recipients, but most were going 
to one or sometimes two. The AOL fraud attempts were sending the 
same message from a variety of different addresses.

While an enumerated list of recipients can be used, that adds a 
maintenance problem in adding new users.

One idea that occurred to me was to set a cookie in a CGI-generated 
no-cache web bug (or small icon) that the user would include with their form. The mail 
script would check for the correct cookie. It could be a one-time unique 
cookie, or a random string, perhaps hashed from the server address. 
Anything could be defeated on a one-time basis, but it would take a bit of effort.

Or, more simply, your users could be told to set a particular hidden 
form value and the script set to require it. Clearly an abuser would be 
able to read the HTML and set the value, but it would block the vast 
majority of automated abuse ( send to http://some.org/cgi-bin/formmail.pl
with recipient=dropbox and subject=http://some.org/cgi-bin/formmail.pl, 
then just build a list from the incoming mail)

 -- 
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376
security () triumf ca


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com