AMaViS Arbitrary Command Execution Vulnerability

Solution:
Christian Bricart released a fixed version (0.2.0-pre6) available at:

http://aachalon.de/AMaViS/

It now requires sed to be accessable on the machine it's used on.

--

The co-authors of AMaViS provided the following patch:

--- scanmails.orig Wed Jun 30 12:54:02 1999
+++ scanmails Wed Jun 30 12:54:15 1999
@@ -122,6 +122,50 @@

deliver=/usr/bin/procmail

+
############################################################
###
+# Chris McDonough informed us, that it is possible to
execute #
+# programs by sending an email, wich contains a virus and
has #
+# as return address something
like: #
+#
`/sbin/reboot`@softing.com #
+#
or
#
+# $(/sbin/reboot)
@softing.com #
+# The execution of the command (/sbin/reboot) is done by
the #
+# "mail" program. Therefore we parse the arguments in
order #
+# to substitute those characters to
nothing #
+
#
#
+# Wed Jun 30 11:47:55 MEST
1999 #
+
############################################################
###
+
+# substitute all "`","$(",")" to nothing
+receiver=${7//\`/}
+receiver=${receiver//\$\(/}
+receiver=${receiver//\)/}
+
+sender=${2//\`/}
+sender=${sender//\$\(/}
+sender=${sender//\)/}
+
+if [ "$sender" != "$2" -o "$receiver" != "$7" ] ; then
+ cat <<EOF | ${mail} -s "Intrusion???" ${mailto}
+
############################################################
###
+# Chris McDonough informed us, that it is possible to
execute #
+# programs by sending an email, wich contains a virus and
has #
+# as return address something
like: #
+#
\`/sbin/rebbot\`@softing.com #
+#
or
#
+# \$\(/sbin/rebbot\)
@softing.com #
+# The execution of the command (/sbin/rebbot) is done by
the #
+# "mail" program. Therefore we parse the arguments in
order #
+# to substitute those characters to
nothing #
+
#
#
+# Wed Jun 30 11:47:55 MEST
1999 #
+
############################################################
###
+ $7 or $2 is not a valid Email address
+ (changed to $receiver and $sender)!
+EOF
+fi
+#
+
################################################
# main program #
# -------------- #
@@ -171,8 +215,8 @@

echo xxxxxxxxxxxxxxxxxx`date`xxxxxxxxxxxxxxxxxxxxxxx >
${tmpdir}/logfile
echo ${scanscriptname} called $* >>${tmpdir}/logfile
-echo FROM: $2 >>/${tmpdir}/logfile
-echo TO: $7 >>/${tmpdir}/logfile
+echo FROM: $sender >>/${tmpdir}/logfile
+echo TO: $receiver >>/${tmpdir}/logfile

${metamail} -r -q -x -w ${tmpdir}/receivedmail > /dev/null
2>&1

@@ -597,11 +641,11 @@

################### send a mail back to sender
######################

-cat <<EOF| ${mail} -s "VIRUS IN YOUR MAIL TO $7" $2
+cat <<EOF| ${mail} -s "VIRUS IN YOUR MAIL TO $receiver"
$sender

V I R U S A L E R T

- Our viruschecker found a VIRUS in your email to "$7".
+ Our viruschecker found a VIRUS in your email to
"$receiver".
We stopped delivery of this email!

Now it is on you to check your system for
viruses
@@ -614,12 +658,12 @@

############### send a mail to the addressee
########################

-cat <<EOF| ${mail} -s "VIRUS IN A MAIL FOR YOU FROM $2" $7
+cat <<EOF| ${mail} -s "VIRUS IN A MAIL FOR YOU FROM
$sender" $receiver

V I R U S A L E R T

Our viruschecker found a VIRUS in a mail from
- "$2"
+ "$sender"
to you.

Delivery of the email was stopped!



 

Privacy Statement
Copyright 2010, SecurityFocus