[11056] in bugtraq
AMaViS virus scanner for Linux - root exploit
daemon@ATHENA.MIT.EDU (Chris McDonough)
Sat Jul 17 04:02:14 1999
Message-Id: <19990716160043.77852.qmail@securityfocus.com>
Date: Fri, 16 Jul 1999 16:00:43 -0000
Reply-To: Chris McDonough <mcdonc@IQGROUP.COM>
From: Chris McDonough <mcdonc@IQGROUP.COM>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
The AMaViS incoming-mail virus scanning utility (available
at http://satan.oih.rwth-aachen.de/AMaViS/) for Linux has
problems.
I tried to contact the maintainer of the package (Christian
Bricart) on June 26, again several times over the course of
the last month, but I have not received anything from him
and the AMaViS website does not yet acknowledge the problem
or provide a fix. However, on Jun 30, co-contributors to
the package (Juergen Quade and Mogens Kjaer) responded
quickly with an acknowledgement of the problem and a few
fixes. Because the co-authors do not maintain the
downloadable package, however, the latest downloadable
version of AMaViS (0.2.0-pre4 and possibly earlier) still
has a bug which allows remote users to send arbitrary
commands as root to a Linux machine running the AMaViS
scripts.
Exploit:
Send a message with a virus-infected file attachment. Use
something like "`/sbin/reboot`@dummy.com" as your reply-to
address in your MUA when sending the message. When the
AMaViS box receives the message, it will go through its
scripts, find the virus, construct an email message to send
back to the sender of the virus-infected file... line 601+
in the "scanmails" script:
cat <<EOF| ${mail} -s "VIRUS IN YOUR MAIL TO $7" $2
V I R U S A L E R T
Our viruschecker found a VIRUS in your email to "$7".
We stopped delivery of this email!
Now it is on you to check your system for viruses
For further information about this viruschecker see:
http://aachalon.de/AMaViS/
AMaViS - A Mail Virus Scanner, licenced GPL
EOF
... the $2 expands to a shell command (e.g. "/sbin/reboot")
which runs as root.
To solve it, Juergen Quade created the following diff
file. It represents the difference between his "secured"
and "insecure" scanmails shell script file. I solved it
differently, using a procmail recipe, but this will work
too:
--- scanmails.orig Wed Jun 30 12:54:02 1999
+++ scanmails Wed Jun 30 12:54:15 1999
@@ -122,6 +122,50 @@
deliver=/usr/bin/procmail
+
############################################################
###
+# Chris McDonough informed us, that it is possible to
execute #
+# programs by sending an email, wich contains a virus and
has #
+# as return address something
like: #
+#
`/sbin/reboot`@softing.com #
+#
or
#
+# $(/sbin/reboot)
@softing.com #
+# The execution of the command (/sbin/reboot) is done by
the #
+# "mail" program. Therefore we parse the arguments in
order #
+# to substitute those characters to
nothing #
+
#
#
+# Wed Jun 30 11:47:55 MEST
1999 #
+
############################################################
###
+
+# substitute all "`","$(",")" to nothing
+receiver=${7//\`/}
+receiver=${receiver//\$\(/}
+receiver=${receiver//\)/}
+
+sender=${2//\`/}
+sender=${sender//\$\(/}
+sender=${sender//\)/}
+
+if [ "$sender" != "$2" -o "$receiver" != "$7" ] ; then
+ cat <<EOF | ${mail} -s "Intrusion???" ${mailto}
+
############################################################
###
+# Chris McDonough informed us, that it is possible to
execute #
+# programs by sending an email, wich contains a virus and
has #
+# as return address something
like: #
+#
\`/sbin/rebbot\`@softing.com #
+#
or
#
+# \$\(/sbin/rebbot\)
@softing.com #
+# The execution of the command (/sbin/rebbot) is done by
the #
+# "mail" program. Therefore we parse the arguments in
order #
+# to substitute those characters to
nothing #
+
#
#
+# Wed Jun 30 11:47:55 MEST
1999 #
+
############################################################
###
+ $7 or $2 is not a valid Email address
+ (changed to $receiver and $sender)!
+EOF
+fi
+#
+
################################################
# main program #
# -------------- #
@@ -171,8 +215,8 @@
echo xxxxxxxxxxxxxxxxxx`date`xxxxxxxxxxxxxxxxxxxxxxx >
${tmpdir}/logfile
echo ${scanscriptname} called $* >>${tmpdir}/logfile
-echo FROM: $2 >>/${tmpdir}/logfile
-echo TO: $7 >>/${tmpdir}/logfile
+echo FROM: $sender >>/${tmpdir}/logfile
+echo TO: $receiver >>/${tmpdir}/logfile
${metamail} -r -q -x -w ${tmpdir}/receivedmail > /dev/null
2>&1
@@ -597,11 +641,11 @@
################### send a mail back to sender
######################
-cat <<EOF| ${mail} -s "VIRUS IN YOUR MAIL TO $7" $2
+cat <<EOF| ${mail} -s "VIRUS IN YOUR MAIL TO $receiver"
$sender
V I R U S A L E R T
- Our viruschecker found a VIRUS in your email to "$7".
+ Our viruschecker found a VIRUS in your email to
"$receiver".
We stopped delivery of this email!
Now it is on you to check your system for
viruses
@@ -614,12 +658,12 @@
############### send a mail to the addressee
########################
-cat <<EOF| ${mail} -s "VIRUS IN A MAIL FOR YOU FROM $2" $7
+cat <<EOF| ${mail} -s "VIRUS IN A MAIL FOR YOU FROM
$sender" $receiver
V I R U S A L E R T
Our viruschecker found a VIRUS in a mail from
- "$2"
+ "$sender"
to you.
Delivery of the email was stopped!
