AMAVIS SECURITY ADVISORY ASA-2006-1: Convert::UUlib 1.04 exploitable buffer overflow
IMPACT Gain shell access to a remote system running a content filter which uses Convert::UUlib 1.04 or earlier. HOW TO CHECK The following command will write version of the module to stdout: perl -MConvert::UUlib -le 'print Convert::UUlib->VERSION' The command assumes there is only one version of Perl installed on the system. If this is not the case, make sure to invoke the same version of perl as is used by a content filter (e.g. see the first line of file /usr/local/sbin/amavisd for full path to perl). WHICH SYSTEMS ARE VULNERABLE Systems running amavisd-new-2.3.0 or later are NOT vulnerable, because amavisd refuses to start if the version of Convert::UUlib is older than 1.05; Systems running versions of amavisd-new older than 2.3.0 do not check for version of Convert::UUlib and may be vulnerable if administrators failed to upgrade Convert::UUlib to 1.05 or 1.06. Impact on vulnerable systems is a possible execution of arbitrary code with privileges of the process running amavisd, i.e. vscan or amavis. Impact is restricted to a chroot jail if amavisd is running chrooted. Similarly, other branches of AMaViS may not be checking for version of Convert::UUlib and may fail to notice vulnerability (amavis-perl, amavisd-snapshot, amavis-ng), so it is up to the mail administrator to check that the installed version of Convert::UUlib is not vulnerable. The same may apply to derivatives of amavisd-new with branch-point before the amavisd-new-2.3.0. BACKGROUND In 2005-04 a bug was discovered in the uulib library as used by a Perl module Convert::UUlib version 1.04 or earlier. This is an integer overflow problem, leading to a buffer overflow. At the time it was not known whether the bug is exploitable, nevertheless users have since then been warned to use a newer version of Convert::UUlib - first the 1.05, and later the 1.06 when it became available by the end of 2005. The problem was discussed on the amavis-user mailing list, and a warning is posted on the amavisd-new web page and in the INSTALL document. On 2006-12-05 an advisory on security implications of this bug was disclosed to the public, thanks to Jean-Sébastien Guay-Leroux, who demonstrated that the uulib bug is exploitable and can provide shell access (with privileges of the process invoking uulib) to an attacker who can send a specially crafted e-mail to a mail decoding program. REFERENCES http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1349 http://www.guay-leroux.com/projects.html http://www.guay-leroux.com/projects/barracuda-advisory-convert-uulib.txt http://www.ijs.si/software/amavisd/#sec http://www.amavis.org/security/ An article of interest: SMTP content filter security, by Jean-Sébastien Guay-Leroux : http://www.guay-leroux.com/projects/SMTP%20content%20filters.pdf ACKNOWLEDGMENTS I must thank Jean-Sébastien Guay-Leroux for his security-related work and for providing valuable feedback to authors of software and to public. RELATED This may be a good opportunity to check other decoding and virus-checking components for known vulnerabilities. It is imperative that security- sensitive software is regularly updated, as new bugs are being found and fixed, and as security implications of old bugs become better understood. Some more prominent components that are worth checking: Convert::UUlib 1.06 or later Compress::Zlib 1.35 or later (currently at 2.001) Archive::Zip 1.14 or later (currently at 1.18) file(1) utility 4.06 or later (currently 4.18) MIME-Tools 5.420 ClamAV 0.88.6 or later lha 1.14i with security patch, see: http://marc.theaimsgroup.com/?l=bugtraq&m=108422737918885 zoo 2.10pl1, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0855 unzoo 4.4-4 nomarch 1.4 arc 5.21o unarj 2.65 arj 3.10.22 rar 3.6.0 unrar 2.65 lzop 1.02rc1 freeze 2.5 tnef 1.4.3 External decoders which are known to be old and can not be upgraded may be disabled, either by removing them from the path so that amavisd-new won't find them on startup, or by modifying array @decoders in amavisd.conf. When choosing operating system and a distribution for new installations, it is worthwhile to choose a distribution that is agile and responds quickly to new threats and to provide new versions of components on a reasonably timely basis. In a rapidly evolving field of computer security and spam protection, a passing year can be a long time! Mark ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/