You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by Eric Kolve <ek...@classmates.com> on 2004/02/23 23:26:32 UTC
perl eval in uri regex
While perusing some of the code in SA, I noticed that you can define
custom rules with your own regexes for URI tests. At the same time, you
can put anything in you want that will compile into a conditional.
So the following should be possible:
uri BAD_TEST s#.#system('rm -rf /root')#e;
score BAD_TEST 5.0
describe BAD_TEST do very bad thing
I assume something like this is really only a risk if you run spamd as
root and enable local user configuration. Is this exploit known about?
or rather, does it even exist (I could be missing something protecting
against this)?
thanks,
--eric
Re: perl eval in uri regex
Posted by Duncan Findlay <du...@debian.org>.
On Mon, Feb 23, 2004 at 02:26:32PM -0800, Eric Kolve wrote:
> While perusing some of the code in SA, I noticed that you can define
> custom rules with your own regexes for URI tests. At the same time, you
> can put anything in you want that will compile into a conditional.
> So the following should be possible:
>
> uri BAD_TEST s#.#system('rm -rf /root')#e;
> score BAD_TEST 5.0
> describe BAD_TEST do very bad thing
>
>
> I assume something like this is really only a risk if you run spamd as
> root and enable local user configuration. Is this exploit known about?
> or rather, does it even exist (I could be missing something protecting
> against this)?
I'm not sure if this syntax would work. (I haven't tried it.) However,
it is known that this type of exploit is possible if allow_user_rules
is enabled. If spamd is set to setuid to the user (as is the default),
this type of exploit should not be possible. However, if spamd is run
with -u root or similar, then this is a problem. To avoid this, simply
don't enable allow_user_rules.
In short, read man Mail::SpamAssassin::Conf.
allow_user_rules { 0 | 1 } (default: 0)
This setting allows users to create rules (and only rules)
in their "user_prefs" files for use with "spamd". It
defaults to off, because this could be a severe security
hole. It may be possible for users to gain root level
access if "spamd" is run as root. It is NOT a good idea,
unless you have some other way of ensuring that users'
tests are safe. Don't use this unless you are certain you
know what you are doing. Furthermore, this option causes
spamassassin to recompile all the tests each time it
processes a message for a user with a rule in his/her
"user_prefs" file, which could have a significant effect on
server load. It is not recommended.
--
Duncan Findlay
Re: perl eval in uri regex
Posted by Theo Van Dinter <fe...@kluge.net>.
On Mon, Feb 23, 2004 at 02:26:32PM -0800, Eric Kolve wrote:
> I assume something like this is really only a risk if you run spamd as
> root and enable local user configuration. Is this exploit known about?
> or rather, does it even exist (I could be missing something protecting
> against this)?
Well, it's a risk if you run spamd and let users call it at all imo.
That's why user defined rules are disabled by default and the docs warn
of large security issues if you do enable them.
--
Randomly Generated Tagline:
Ah, sweet pity: where would my love life have been without it?
-- Homer Simpson
I Love Lisa