CVE-2010-1132
published 2010-03-27CVE-2010-1132: The mlfi_envrcpt function in spamass-milter.cpp in SpamAssassin Milter Plugin 0.3.1, when using the expand option, allows remote attackers to execute arbitrary…
PriorityP264critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
8.58%
94.4th percentile
The mlfi_envrcpt function in spamass-milter.cpp in SpamAssassin Milter Plugin 0.3.1, when using the expand option, allows remote attackers to execute arbitrary system commands via shell metacharacters in the RCPT TO field of an email message.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | spamass-milter | < spamass-milter 0.3.1-9 (bookworm) | spamass-milter 0.3.1-9 (bookworm) |
| georg_greve | spamassassin_milter_plugin | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor SMTP RCPT TO fields for shell metacharacters, particularly pipe characters (|), backticks, semicolons, and quoted command strings indicative of command injection attempts. ↗
- →Detect exploitation pattern: RCPT TO addresses containing the pattern root+:"| <command>" or similar shell injection syntax passed to popen() via the -bv sendmail flag. ↗
- →Alert on spamass-milter processes spawning unexpected child processes (e.g., sh, touch, wget) as a result of popen() exploitation when the -x (expand) flag is active. ↗
- →Check for unexpected file creation in /tmp by root or the milter user (sa-milt), which may indicate successful command injection via the RCPT TO field. ↗
- →Audit spamass-milter startup arguments for the presence of the -x (expand) flag; its use is required for exploitation and is not the default configuration. ↗
- ·The vulnerability is only exploitable when spamass-milter is started with the -x (expand) flag; the default configuration does NOT use this flag and is therefore not vulnerable. ↗
- ·In Fedora/EPEL packages, the milter runs as the dedicated 'sa-milt' user rather than root, reducing the impact of successful exploitation compared to a root-running instance. ↗
- ·SELinux confinement limits the attacker's ability to write to arbitrary paths (e.g., /tmp); exploitation is likely constrained to /var/{lib,run}/spamass-milter on SELinux-enabled systems. ↗
- ·The -x option requires the milter to run as root (to invoke 'sendmail -bv' for alias expansion); non-root deployments using -x would still allow command execution as the milter's UID. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vendor_debian9.3CRITICAL
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mm8j-8fj4-43p5: The mlfi_envrcpt function in spamass-milter
ghsa_unreviewed·2022-05-02
CVE-2010-1132 [HIGH] CWE-78 GHSA-mm8j-8fj4-43p5: The mlfi_envrcpt function in spamass-milter
The mlfi_envrcpt function in spamass-milter.cpp in SpamAssassin Milter Plugin 0.3.1, when using the expand option, allows remote attackers to execute arbitrary system commands via shell metacharacters in the RCPT TO field of an email message.
OSV
CVE-2010-1132: The mlfi_envrcpt function in spamass-milter
osv·2010-03-27·CVSS 9.3
CVE-2010-1132 [CRITICAL] CVE-2010-1132: The mlfi_envrcpt function in spamass-milter
The mlfi_envrcpt function in spamass-milter.cpp in SpamAssassin Milter Plugin 0.3.1, when using the expand option, allows remote attackers to execute arbitrary system commands via shell metacharacters in the RCPT TO field of an email message.
Red Hat
Filter: Arbitrary shell command injection (privilege escalation)
vendor_redhat·2010-03-07·CVSS 9.3
CVE-2010-1132 [CRITICAL] Filter: Arbitrary shell command injection (privilege escalation)
Filter: Arbitrary shell command injection (privilege escalation)
The mlfi_envrcpt function in spamass-milter.cpp in SpamAssassin Milter Plugin 0.3.1, when using the expand option, allows remote attackers to execute arbitrary system commands via shell metacharacters in the RCPT TO field of an email message.
Debian
CVE-2010-1132: spamass-milter - The mlfi_envrcpt function in spamass-milter.cpp in SpamAssassin Milter Plugin 0....
vendor_debian·2010·CVSS 9.3
CVE-2010-1132 [CRITICAL] CVE-2010-1132: spamass-milter - The mlfi_envrcpt function in spamass-milter.cpp in SpamAssassin Milter Plugin 0....
The mlfi_envrcpt function in spamass-milter.cpp in SpamAssassin Milter Plugin 0.3.1, when using the expand option, allows remote attackers to execute arbitrary system commands via shell metacharacters in the RCPT TO field of an email message.
Scope: local
bookworm: resolved (fixed in 0.3.1-9)
bullseye: resolved (fixed in 0.3.1-9)
forky: resolved (fixed in 0.3.1-9)
sid: resolved (fixed in 0.3.1-9)
trixie: resolved (fixed in 0.3.1-9)
No detection rules found.
Bugzilla
CVE-2010-1132 spamass-milter: remote command execution
bugzilla·2010-03-26·CVSS 9.3
CVE-2010-1132 [CRITICAL] CVE-2010-1132 spamass-milter: remote command execution
CVE-2010-1132 spamass-milter: remote command execution
A flaw in how the spamass-milter processed user-supplied input was reported [1]. If spamass-milter is run with the expand (-x) option, it calls popen() in a way that includes the attacker supplied recipient (RCPT TO). For example:
$ nc localhost 25
220 ownthabox ESMTP Postfix (Ubuntu)
mail from: me at me.com
250 2.1.0 Ok
rcpt to: root+:"|touch /tmp/foo"
250 2.1.5 Ok
$ ls -la /tmp/foo
-rw-r--r-- 1 root root 0 2010-03-07 19:46 /tmp/foo
The report claims this can result in remote root code execution, however in Fedora spamass-milter is run with the privileges of the dedicated sa-milt user, reducing the scope and impact of this flaw. As well, by default, spamass-milter does not run with the -x (expand) option, which is required to be a
Bugzilla
CVE-2010-1132 spamass-milter: remote command execution
bugzilla·2010-03-26·CVSS 9.3
CVE-2010-1132 [CRITICAL] CVE-2010-1132 spamass-milter: remote command execution
CVE-2010-1132 spamass-milter: remote command execution
fedora-12 tracking bug for spamass-milter: see blocks bug list for full details of the security issue(s).
This bug is never intended to be made public, please put any public notes
in the 'blocks' bugs.
[bug automatically created by: add-tracking-bugs]
Bugzilla
CVE-2010-1132 spamass-milter: remote command execution
bugzilla·2010-03-26·CVSS 9.3
CVE-2010-1132 [CRITICAL] CVE-2010-1132 spamass-milter: remote command execution
CVE-2010-1132 spamass-milter: remote command execution
fedora-11 tracking bug for spamass-milter: see blocks bug list for full details of the security issue(s).
This bug is never intended to be made public, please put any public notes
in the 'blocks' bugs.
[bug automatically created by: add-tracking-bugs]
Bugzilla
CVE-2010-1132 SpamAssassin Mail Filter: Arbitrary shell command injection (privilege escalation)
bugzilla·2010-03-10·CVSS 9.3
CVE-2010-1132 [CRITICAL] CVE-2010-1132 SpamAssassin Mail Filter: Arbitrary shell command injection (privilege escalation)
CVE-2010-1132 SpamAssassin Mail Filter: Arbitrary shell command injection (privilege escalation)
Security researcher called "Kingcope" pointed out:
[1] http://lists.grok.org.uk/pipermail/full-disclosure/2010-March/073489.html
a deficiency in the way Mail Filter plugin for the SpamAssassin
spam filter sanitized certain mail header field, when spamass-milter
was run with the expand flag (-x option). If a remote attacker
sent email message with certain, specially-crafted mail header field,
and this message was subsequently processed by the SpamAssassin
Mail Filter plugin, it could lead to arbitrary code execution with
the privileges of the privileged system user (root).
Preliminary upstream patch:
[2] http://savannah.nongnu.org/support/download.php?file_id=19902
References:
[3] http://sec
http://archives.neohapsis.com/archives/fulldisclosure/2010-03/0139.htmlhttp://bugs.debian.org/573228http://lists.fedoraproject.org/pipermail/package-announce/2010-April/038535.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2010-April/038572.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2010-April/038777.htmlhttp://osvdb.org/62809http://secunia.com/advisories/38840http://secunia.com/advisories/38956http://secunia.com/advisories/39265http://www.debian.org/security/2010/dsa-2021http://www.exploit-db.com/exploits/11662http://www.securityfocus.com/bid/38578http://www.securitytracker.com/id?1023691http://www.vupen.com/english/advisories/2010/0559http://www.vupen.com/english/advisories/2010/0683http://www.vupen.com/english/advisories/2010/0837https://bugzilla.redhat.com/show_bug.cgi?id=572117https://exchange.xforce.ibmcloud.com/vulnerabilities/56732https://savannah.nongnu.org/bugs/?29136http://archives.neohapsis.com/archives/fulldisclosure/2010-03/0139.htmlhttp://bugs.debian.org/573228http://lists.fedoraproject.org/pipermail/package-announce/2010-April/038535.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2010-April/038572.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2010-April/038777.htmlhttp://osvdb.org/62809http://secunia.com/advisories/38840http://secunia.com/advisories/38956http://secunia.com/advisories/39265http://www.debian.org/security/2010/dsa-2021http://www.exploit-db.com/exploits/11662http://www.securityfocus.com/bid/38578http://www.securitytracker.com/id?1023691http://www.vupen.com/english/advisories/2010/0559http://www.vupen.com/english/advisories/2010/0683http://www.vupen.com/english/advisories/2010/0837https://bugzilla.redhat.com/show_bug.cgi?id=572117https://exchange.xforce.ibmcloud.com/vulnerabilities/56732https://savannah.nongnu.org/bugs/?29136
2010-03-27
Published