spamassassin a possible security risk?

Thomas Zehetbauer thomasz at hostmaster.org
Tue Oct 19 12:40:39 UTC 2004 

On Mon, 2004-10-18 at 22:25 -0400, Matthew Miller wrote:
> When run as root, it can setuid to the user running spamc. So that's
> actually better.

No, it sets it's user-id to the user supplied over an untrusted network
connection. No authentication is attempted.

> Everyone on the local host. And that's who it's designed for; not sure this
> is a problem.

No, linux uses the 'weak end host' model and spamd is not given the -A
option so everyone who can send packages to 127.0.0.1 on any of the
hosts network interfaces can connect.

> > 1.2) trying to parse, lookup and impersonate an untrusted username
> how's that?

spamd runs as root while accepting and trying to read, parse, lookup and
impersonate the user given over an untrusted network connection.
PROCESS SPAMC/1.3\r\nUser: thomasz\r\nContent-length: 5342\r\n\r\n

> > 1.3.1) using system resources
> as does anything the user runs. But if if the daemon can switch userids, I
> presume you can then account this resource use to that user.

Possibly accounting the resources to the wrong user, see above.

> > 2) start spamd as user
> > 2.1) allowing everyone to connect
> > 2.2) trying to use the configuration of an untrusted user
> > 2.3) using system resources
> > 2.4) possibly executing external applications and accessing network
> >      accounts
> Anyone can write a trivial little daemon to do this. You can do it with
> httpd, if you want. You can do it from the command line with 'nc', or you
> could use zsh shell builtins.

Sure, but in this case the user should be aware of what he is doing and
the risks involved. spamd on the other hand is silently launched when
the user clicks on 'Junk' in Ximian Evolution.

> > Binding to 127.0.0.1 is not secure as linux by default uses the 'weak
> > end host' model.
> Except Fedora, as Red Hat Linux before it, turns on source route
> verification by default. (Look at /etc/sysctl.conf.) So, it doesn't.

I doubt this can really prevent this type of attack but rather restrict
them to the local network but I would appreciate some insight.

Tom

-- 
  T h o m a s   Z e h e t b a u e r   ( TZ251 )
  PGP encrypted mail preferred - KeyID 96FFCB89
      finger thomasz at hostmaster.org for key

Press any key to continue or any other key to quit.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 481 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20041019/0096d95c/attachment-0001.sig>

More information about the fedora-list mailing list