You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Joe Acquisto-j4 <jo...@j4computers.com> on 2014/10/29 16:26:44 UTC
shellshock via SMTP?
Comments on the ZD net article that claims shellshock exploit via crafty SMTP headers? Just asking, that's all . . .
I attached a link to it below, please excuse if that is improper behavior.
http://www.zdnet.com/shellshock-attacks-mail-servers-7000035094/
Re: shellshock via SMTP?
Posted by "R.E. Sonneveld" <R....@sonnection.nl>.
On Oct 29, 2014, at 16:54, Mark Martinec <Ma...@ijs.si> wrote:
> 2014-10-29 16:26, Joe Acquisto-j4 wrote:
>> Comments on the ZD net article that claims shellshock exploit via
>> crafty SMTP headers? Just asking, that's all . . .
>> I attached a link to it below, please excuse if that is improper behavior.
>> http://www.zdnet.com/shellshock-attacks-mail-servers-7000035094/
>
> I have seen one such sample. Must be a really dumb mail delivery agent
> or a content filter or a MUA that lets a mail header touch a shell.
>
> No matter whether bash is patched or not, tainted data from a mail
> message must never be handed over to shell.
>
> Mark
In the wikipedia article on shellshock qmail is mentioned. See also http://www.gossamer-threads.com/lists/qmail/users/138578
/rolf
Re: shellshock via SMTP?
Posted by John Wilcock <jo...@tradoc.fr>.
Le 29/10/2014 16:54, Mark Martinec a écrit :
> 2014-10-29 16:26, Joe Acquisto-j4 wrote:
>> Comments on the ZD net article that claims shellshock exploit via
>> crafty SMTP headers? Just asking, that's all . . .
>>
>> I attached a link to it below, please excuse if that is improper
>> behavior.
>> http://www.zdnet.com/shellshock-attacks-mail-servers-7000035094/
>
> I have seen one such sample. Must be a really dumb mail delivery agent
> or a content filter or a MUA that lets a mail header touch a shell.
Even my low-volume server has seen a few attempts, though the sending
bots didn't follow proper SMTP protocol and were duly rejected by
postscreen (not that they would have gotten anywhere near a shell anyway
of course!). Curiously most appeared to be proof-of-concept testing
rather than a true attack, as they were attempting to call /usr/bin/id
--
John
Re: shellshock via SMTP?
Posted by Mark Martinec <Ma...@ijs.si>.
2014-10-29 16:26, Joe Acquisto-j4 wrote:
> Comments on the ZD net article that claims shellshock exploit via
> crafty SMTP headers? Just asking, that's all . . .
>
> I attached a link to it below, please excuse if that is improper
> behavior.
> http://www.zdnet.com/shellshock-attacks-mail-servers-7000035094/
I have seen one such sample. Must be a really dumb mail delivery agent
or a content filter or a MUA that lets a mail header touch a shell.
No matter whether bash is patched or not, tainted data from a mail
message must never be handed over to shell.
Mark
Re: shellshock via SMTP?
Posted by John Hardin <jh...@impsec.org>.
On Wed, 29 Oct 2014, Joe Acquisto-j4 wrote:
> Comments on the ZD net article that claims shellshock exploit via crafty SMTP headers? Just asking, that's all . . .
>
> I attached a link to it below, please excuse if that is improper behavior.
>
> http://www.zdnet.com/shellshock-attacks-mail-servers-7000035094/
There is at least one going around.
http://www.exploit-db.com/exploits/34896/
I've put what I hope are mitigations in my sample milter-regex.conf but I
haven't actually tested them.
http://www.impsec.org/~jhardin/antispam/
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
-----------------------------------------------------------------------
2 days until Halloween