cbcvebase.
CVE-2010-1132
published 2010-03-27

CVE-2010-1132: The mlfi_envrcpt function in spamass-milter.cpp in SpamAssassin Milter Plugin 0.3.1, when using the expand option, allows remote attackers to execute arbitrary…

PriorityP264critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
8.58%
94.4th percentile
The mlfi_envrcpt function in spamass-milter.cpp in SpamAssassin Milter Plugin 0.3.1, when using the expand option, allows remote attackers to execute arbitrary system commands via shell metacharacters in the RCPT TO field of an email message.

Affected

2 ranges
VendorProductVersion rangeFixed in
debianspamass-milter< spamass-milter 0.3.1-9 (bookworm)spamass-milter 0.3.1-9 (bookworm)
georg_grevespamassassin_milter_plugin

Detection & IOCsextracted from sources · hover to see the quote

commandrcpt to: root+:"|touch /tmp/foo"
filenamespamass-milter.cpp
processpopen(buf, "r")
commandchar *fmt="%s -bv \"%s\" 2>&1"
  • Monitor SMTP RCPT TO fields for shell metacharacters, particularly pipe characters (|), backticks, semicolons, and quoted command strings indicative of command injection attempts.
  • Detect exploitation pattern: RCPT TO addresses containing the pattern root+:"| <command>" or similar shell injection syntax passed to popen() via the -bv sendmail flag.
  • Alert on spamass-milter processes spawning unexpected child processes (e.g., sh, touch, wget) as a result of popen() exploitation when the -x (expand) flag is active.
  • Check for unexpected file creation in /tmp by root or the milter user (sa-milt), which may indicate successful command injection via the RCPT TO field.
  • Audit spamass-milter startup arguments for the presence of the -x (expand) flag; its use is required for exploitation and is not the default configuration.
  • ·The vulnerability is only exploitable when spamass-milter is started with the -x (expand) flag; the default configuration does NOT use this flag and is therefore not vulnerable.
  • ·In Fedora/EPEL packages, the milter runs as the dedicated 'sa-milt' user rather than root, reducing the impact of successful exploitation compared to a root-running instance.
  • ·SELinux confinement limits the attacker's ability to write to arbitrary paths (e.g., /tmp); exploitation is likely constrained to /var/{lib,run}/spamass-milter on SELinux-enabled systems.
  • ·The -x option requires the milter to run as root (to invoke 'sendmail -bv' for alias expansion); non-root deployments using -x would still allow command execution as the milter's UID.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vendor_debian9.3CRITICAL
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.