ISS X-Force Database: spamassassin-spamd-command-execution(27008): SpamAssassin spamd --vpopmail/-P command execution

SpamAssassin spamd --vpopmail/-P command execution

spamassassin-spamd-command-execution (27008)

High Risk

Description:

SpamAssassin could allow a remote attacker to execute arbitrary commands on the system. If spamd is executed with the --vpopmail (-v) and --paranoid (-P) switches, a remote attacker could send a message using a specially-crafted virtual pop username to execute arbitrary commands on the affected system with the privileges of the spamd daemon.

Platforms Affected:

Apache, SpamAssassin 3.1.0
Apache, SpamAssassin 3.1.1
Apache, SpamAssassin 3.1.2
Debian, Debian Linux 3.1
Gentoo, Linux
MandrakeSoft, Mandrake Linux 2006 X86_64
MandrakeSoft, Mandrake Linux 2006
MandrakeSoft, Mandrake Linux LE2005
MandrakeSoft, Mandrake Linux LE2005 X86_64
MandrakeSoft, Mandrake Linux Corporate Server 3.0
MandrakeSoft, Mandrake Linux Corporate Server 3.0 X86_64
RedHat, Enterprise Linux 4 WS
RedHat, Enterprise Linux 4 ES
RedHat, Enterprise Linux 4 AS
RedHat, Enterprise Linux 4 Desktop
rPath, rPath Linux 1

Remedy:

Upgrade to the latest version of SpamAssasin (3.1.3 or later) or (3.0.6 or later), available from the SpamAssassin Web site. See References.

For Red Hat Linux:
Refer to RHSA-2006:0543-10 for patch, upgrade, or suggested workaround information.

For Debian GNU/Linux:
Refer to DSA-1090-1 for patch, upgrade, or suggested workaround information. See References.

For Gentoo Linux:
Refer to Gentoo Linux Security Announcement GLSA 2006-06-09 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Contact your vendor for patch or upgrade information.

Consequences:

Gain Access

References:

Full-Disclosure Mailing List, Wed Jun 07 2006 - 13:07:50 CDT, rPSA-2006-0096-1 spamassassin at http://archives.neohapsis.com/archives/fulldisclosure/2006-06/0056.html.
SpamAssassin Web site, SpamAssassin: Downloads at http://spamassassin.apache.org/downloads.cgi?update=200606050750.
SpamAssassin-Users Forum, 2006-06-05 12:13, ANNOUNCE: Apache SpamAssassin 3.1.3 available! at http://www.nabble.com/ANNOUNCE%3A-Apache-SpamAssassin-3.1.3-available%21-t1736096.html.
ASA-2006-121: spamassassin security update (RHSA-2006-0543)
BID-18290: SpamAssassin Vpopmail and Paranoid Switches Remote Command Execution Vulnerability
CVE-2006-2447: SpamAssassin before 3.1.3, when running with vpopmail and the paranoid (-P) switch, allows remote attackers to execute arbitrary commands via a crafted message that is not properly handled when invoking spamd with the virtual pop username.
DSA-1090: spamassassin -- programming error
GLSA-200606-09: SpamAssassin: Execution of arbitrary code
MDKSA-2006:103: Updated spamassassin packages fix vulnerability
RHSA-2006-0543: spamassassin security update
SA20430: SpamAssassin "spamd" Shell Command Injection Vulnerability
SECTRACK ID: 1016230: SpamAssassin handle_user() Bug Lets Remote Users Execute Arbitrary Commands
SECTRACK ID: 1016235: (Red Hat Issues Fix) SpamAssassin handle_user() Bug Lets Remote Users Execute Arbitrary Commands
VUPEN/ADV-2006-2148: SpamAssassin Vpopmail and Paranoid Switches Code Execution Vulnerability

Reported:

Jun 05, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page