Vulnerabilities > CVE-2006-2447 - Remote Command Execution vulnerability in Apache Spamassassin 3.1.0/3.1.1/3.1.2
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
SpamAssassin before 3.1.3, when running with vpopmail and the paranoid (-P) switch, allows remote attackers to execute arbitrary commands via a crafted message that is not properly handled when invoking spamd with the virtual pop username.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 3 |
Exploit-Db
description SpamAssassin spamd Remote Command Execution. CVE-2006-2447. Remote exploit for linux platform id EDB-ID:16920 last seen 2016-02-02 modified 2010-04-30 published 2010-04-30 reporter metasploit source https://www.exploit-db.com/download/16920/ title SpamAssassin spamd Remote Command Execution description SpamAssassin spamd. CVE-2006-2447. Remote exploit for unix platform id EDB-ID:9914 last seen 2016-02-01 modified 2006-06-06 published 2006-06-06 reporter patrick source https://www.exploit-db.com/download/9914/ title SpamAssassin spamd <= 3.1.3 - Command Injection
Metasploit
| description | This module exploits a flaw in the SpamAssassin spamd service by specifying a malicious vpopmail User header, when running with vpopmail and paranoid modes enabled (non-default). Versions prior to v3.1.3 are vulnerable |
| id | MSF:EXPLOIT/UNIX/MISC/SPAMASSASSIN_EXEC |
| last seen | 2020-01-25 |
| modified | 2017-11-08 |
| published | 2008-07-19 |
| references | |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/misc/spamassassin_exec.rb |
| title | SpamAssassin spamd Remote Command Execution |
Nessus
NASL family Gain a shell remotely NASL id SPAMD_VPOPMAIL_CMD_EXEC.NASL description The remote host is running spamd, a daemon belonging to SpamAssassin and used to determine whether messages represent spam. The installed version of spamd on the remote host appears to allow an unauthenticated user to execute arbitrary commands, subject to the privileges of the user under which it operates. last seen 2020-06-01 modified 2020-06-02 plugin id 21673 published 2006-06-08 reporter This script is Copyright (C) 2006-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/21673 title SpamAssassin spamd Crafted Message Arbitrary Command Execution code # # (C) Tenable Network Security # include("compat.inc"); if (description) { script_id(21673); script_version("1.17"); script_cve_id("CVE-2006-2447"); script_bugtraq_id(18290); script_name(english:"SpamAssassin spamd Crafted Message Arbitrary Command Execution"); script_summary(english:"Checks for an command execution flaw in spamd"); script_set_attribute(attribute:"synopsis", value: "The remote server allows execution of arbitrary commands." ); script_set_attribute(attribute:"description", value: "The remote host is running spamd, a daemon belonging to SpamAssassin and used to determine whether messages represent spam. The installed version of spamd on the remote host appears to allow an unauthenticated user to execute arbitrary commands, subject to the privileges of the user under which it operates." ); script_set_attribute(attribute:"see_also", value:"https://spamassassin.apache.org/404.html" ); script_set_attribute(attribute:"solution", value: "Upgrade to SpamAssassin 3.0.6 / 3.1.3 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'SpamAssassin spamd Remote Command Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2006/06/08"); script_set_attribute(attribute:"vuln_publication_date", value: "2006/06/06"); script_cvs_date("Date: 2018/11/15 20:50:22"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:spamassassin"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"Gain a shell remotely"); script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc."); script_dependencies("find_service2.nasl"); script_require_ports("Services/spamd", 783); exit(0); } include("global_settings.inc"); port = get_kb_item("Services/spamd"); if (!port) port = 783; if (!get_port_state(port)) exit(0); # A sample email. msg = string( "From: nessus\n", "To: root\n", "Subject: Test\n", "Date: Wed, 07 Jun 2006 10:18:42 -0400\n", "\n", "A simple test of ", SCRIPT_NAME, ".\n" ); # Make sure spamd works. soc = open_sock_tcp(port); if (soc) { req = string( "PROCESS SPAMC/1.2\r\n", "Content-length: ", strlen(msg), "\r\n", "User: nessus\r\n", "\r\n", msg ); send(socket:soc, data:req); res = recv(socket:soc, length:1024); close(soc); } # If it does... if (res && egrep(pattern:"^SPAMD/[^ ]+ [0-9]+ EX_OK", string:res)) { # Make sure the version looks vulnerable, unless we're paranoid. if ( report_paranoia < 2 && "X-Spam-Checker-Version:" >< res && !egrep(pattern:"^X-Spam-Checker-Version: SpamAssassin ([0-2]\.|3\.(0\.[0-5]|1\.[0-2]))", string:res) ) exit(0); # Now try to exploit the flaw to kill our connection. soc = open_sock_tcp(port); if (soc) { req = string( "PROCESS SPAMC/1.2\r\n", "Content-length: ", strlen(msg), "\r\n", "User: nessus; kill $PPID\r\n", "\r\n", msg ); send(socket:soc, data:req); res2 = recv(socket:soc, length:1024); # There's a problem if we didn't receive anything this time. if (res2 == NULL) security_warning(port); } }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1090.NASL description A vulnerability has been discovered in SpamAssassin, a Perl-based spam filter using text analysis, that can allow remote attackers to execute arbitrary commands. This problem only affects systems where spamd is reachable via the internet and used with vpopmail virtual users, via the last seen 2020-06-01 modified 2020-06-02 plugin id 22632 published 2006-10-14 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22632 title Debian DSA-1090-1 : spamassassin - programming error code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1090. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(22632); script_version("1.16"); script_cvs_date("Date: 2019/08/02 13:32:19"); script_cve_id("CVE-2006-2447"); script_xref(name:"DSA", value:"1090"); script_name(english:"Debian DSA-1090-1 : spamassassin - programming error"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "A vulnerability has been discovered in SpamAssassin, a Perl-based spam filter using text analysis, that can allow remote attackers to execute arbitrary commands. This problem only affects systems where spamd is reachable via the internet and used with vpopmail virtual users, via the '-v' / '--vpopmail' switch, and with the '-P' / '--paranoid' switch which is not the default setting on Debian." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2006/dsa-1090" ); script_set_attribute( attribute:"solution", value: "Upgrade the spamd package. The old stable distribution (woody) is not affected by this problem. For the stable distribution (sarge) this problem has been fixed in version 3.0.3-2sarge1. For the volatile archive for the stable distribution (sarge) this problem has been fixed in version 3.1.0a-0volatile3." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'SpamAssassin spamd Remote Command Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:spamassassin"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"patch_publication_date", value:"2006/06/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/14"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/06/06"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"spamassassin", reference:"3.0.3-2sarge1")) flag++; if (deb_check(release:"3.1", prefix:"spamc", reference:"3.0.3-2sarge1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2006-103.NASL description A flaw was discovered in the way that spamd processes the virtual POP usernames passed to it. If running with the --vpopmail and --paranoid flags, it is possible for a remote user with the ability to connect to the spamd daemon to execute arbitrary commands as the user running spamd. By default, the Spamassassin packages do not start spamd with either of these flags and this usage is uncommon. The updated packages have been patched to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 21718 published 2006-06-16 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/21718 title Mandrake Linux Security Advisory : spamassassin (MDKSA-2006:103) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2006:103. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(21718); script_version ("1.16"); script_cvs_date("Date: 2019/08/02 13:32:48"); script_cve_id("CVE-2006-2447"); script_xref(name:"MDKSA", value:"2006:103"); script_name(english:"Mandrake Linux Security Advisory : spamassassin (MDKSA-2006:103)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "A flaw was discovered in the way that spamd processes the virtual POP usernames passed to it. If running with the --vpopmail and --paranoid flags, it is possible for a remote user with the ability to connect to the spamd daemon to execute arbitrary commands as the user running spamd. By default, the Spamassassin packages do not start spamd with either of these flags and this usage is uncommon. The updated packages have been patched to correct this issue." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'SpamAssassin spamd Remote Command Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:perl-Mail-SpamAssassin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:spamassassin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:spamassassin-spamc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:spamassassin-spamd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:spamassassin-tools"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2006"); script_set_attribute(attribute:"cpe", value:"x-cpe:/o:mandrakesoft:mandrake_linux:le2005"); script_set_attribute(attribute:"patch_publication_date", value:"2006/06/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/06/16"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK10.2", reference:"perl-Mail-SpamAssassin-3.0.4-0.3.102mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.2", reference:"spamassassin-3.0.4-0.3.102mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.2", reference:"spamassassin-spamc-3.0.4-0.3.102mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.2", reference:"spamassassin-spamd-3.0.4-0.3.102mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.2", reference:"spamassassin-tools-3.0.4-0.3.102mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", reference:"perl-Mail-SpamAssassin-3.0.4-3.3.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", reference:"spamassassin-3.0.4-3.3.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", reference:"spamassassin-spamc-3.0.4-3.3.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", reference:"spamassassin-spamd-3.0.4-3.3.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", reference:"spamassassin-tools-3.0.4-3.3.20060mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Fedora Local Security Checks NASL id FEDORA_2006-598.NASL description 3.1.3 Resolves CVE-2006-2447. Note that you are affected by this bug only if you launched spamd with both --vpopmail and --paranoid, which is not a common configuration. Also included are bug fixes from 3.1.2. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 24118 published 2007-01-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24118 title Fedora Core 5 : spamassassin-3.1.3-1.fc5 (2006-598) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2006-598. # include("compat.inc"); if (description) { script_id(24118); script_version ("1.16"); script_cvs_date("Date: 2019/08/02 13:32:24"); script_cve_id("CVE-2006-2447"); script_xref(name:"FEDORA", value:"2006-598"); script_name(english:"Fedora Core 5 : spamassassin-3.1.3-1.fc5 (2006-598)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora Core host is missing a security update." ); script_set_attribute( attribute:"description", value: "3.1.3 Resolves CVE-2006-2447. Note that you are affected by this bug only if you launched spamd with both --vpopmail and --paranoid, which is not a common configuration. Also included are bug fixes from 3.1.2. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # https://lists.fedoraproject.org/pipermail/package-announce/2006-June/000188.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?1cd6e25a" ); script_set_attribute( attribute:"solution", value: "Update the affected spamassassin and / or spamassassin-debuginfo packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'SpamAssassin spamd Remote Command Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:spamassassin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:spamassassin-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:5"); script_set_attribute(attribute:"patch_publication_date", value:"2006/06/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/01/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 5.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC5", reference:"spamassassin-3.1.3-1.fc5")) flag++; if (rpm_check(release:"FC5", reference:"spamassassin-debuginfo-3.1.3-1.fc5")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "spamassassin / spamassassin-debuginfo"); }NASL family Fedora Local Security Checks NASL id FEDORA_2007-242.NASL description This upgrades to version 3.1.8, which fixes some bugs and CVE-2007-0451 Malformed HTML Denial of Service. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 24361 published 2007-02-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24361 title Fedora Core 5 : spamassassin-3.1.8-1.fc5 (2007-242) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2007-242. # include("compat.inc"); if (description) { script_id(24361); script_version ("1.15"); script_cvs_date("Date: 2019/08/02 13:32:25"); script_cve_id("CVE-2006-2447", "CVE-2007-0451"); script_xref(name:"FEDORA", value:"2007-242"); script_name(english:"Fedora Core 5 : spamassassin-3.1.8-1.fc5 (2007-242)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora Core host is missing a security update." ); script_set_attribute( attribute:"description", value: "This upgrades to version 3.1.8, which fixes some bugs and CVE-2007-0451 Malformed HTML Denial of Service. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # https://lists.fedoraproject.org/pipermail/package-announce/2007-February/001460.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?ab33f2db" ); script_set_attribute( attribute:"solution", value: "Update the affected spamassassin and / or spamassassin-debuginfo packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'SpamAssassin spamd Remote Command Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_cwe_id(399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:spamassassin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:spamassassin-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:5"); script_set_attribute(attribute:"patch_publication_date", value:"2007/02/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/02/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 5.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC5", reference:"spamassassin-3.1.8-1.fc5")) flag++; if (rpm_check(release:"FC5", reference:"spamassassin-debuginfo-3.1.8-1.fc5")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "spamassassin / spamassassin-debuginfo"); }NASL family SuSE Local Security Checks NASL id SUSE_SPAMASSASSIN-1904.NASL description This update fixes the following security problem in SpamAssassin : - CVE-2006-2447: SpamAssassin when running with vpopmail and the paranoid (-P) switch, allows remote attackers to execute arbitrary commands via a crafted message that is not properly handled when invoking spamd with the virtual pop username. At the same time we upgraded SpamAssassin to version 3.1.3, bringing lots of bug fixes and new rules. Please make sure you verify that it still works with your configuration. Also included is now last seen 2020-06-01 modified 2020-06-02 plugin id 27449 published 2007-10-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27449 title openSUSE 10 Security Update : spamassassin (spamassassin-1904) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2006-0543.NASL description Updated spamassassin packages that fix an arbitrary code execution flaw are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. SpamAssassin provides a way to reduce unsolicited commercial email (SPAM) from incoming email. A flaw was found with the way the Spamassassin spamd daemon processes the virtual pop username passed to it. If a site is running spamd with both the --vpopmail and --paranoid flags, it is possible for a remote user with the ability to connect to the spamd daemon to execute arbitrary commands as the user running the spamd daemon. (CVE-2006-2447) Note: None of the IMAP or POP servers shipped with Red Hat Enterprise Linux 4 support vpopmail delivery. Running spamd with the --vpopmail and --paranoid flags is uncommon and not the default startup option as shipped with Red Hat Enterprise Linux 4. Spamassassin, as shipped in Red Hat Enterprise Linux 4, performs RBL lookups against visi.com to help determine if an email is spam. However, this DNS RBL has recently disappeared, resulting in mail filtering delays and timeouts. Users of SpamAssassin should upgrade to these updated packages containing version 3.0.6 and backported patches, which are not vulnerable to these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 21999 published 2006-07-05 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21999 title CentOS 4 : spamassassin (CESA-2006:0543) NASL family Fedora Local Security Checks NASL id FEDORA_2006-658.NASL description Resolves CVE-2006-2447. Note that you are affected by this bug only if you launched spamd with both --vpopmail and --paranoid, which is not a common configuration. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 24121 published 2007-01-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24121 title Fedora Core 4 : spamassassin-3.0.6-1.fc4 (2006-658) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2006-0543.NASL description Updated spamassassin packages that fix an arbitrary code execution flaw are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. SpamAssassin provides a way to reduce unsolicited commercial email (SPAM) from incoming email. A flaw was found with the way the Spamassassin spamd daemon processes the virtual pop username passed to it. If a site is running spamd with both the --vpopmail and --paranoid flags, it is possible for a remote user with the ability to connect to the spamd daemon to execute arbitrary commands as the user running the spamd daemon. (CVE-2006-2447) Note: None of the IMAP or POP servers shipped with Red Hat Enterprise Linux 4 support vpopmail delivery. Running spamd with the --vpopmail and --paranoid flags is uncommon and not the default startup option as shipped with Red Hat Enterprise Linux 4. Spamassassin, as shipped in Red Hat Enterprise Linux 4, performs RBL lookups against visi.com to help determine if an email is spam. However, this DNS RBL has recently disappeared, resulting in mail filtering delays and timeouts. Users of SpamAssassin should upgrade to these updated packages containing version 3.0.6 and backported patches, which are not vulnerable to these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 21672 published 2006-06-08 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21672 title RHEL 4 : spamassassin (RHSA-2006:0543) NASL family Fedora Local Security Checks NASL id FEDORA_2007-584.NASL description Local symlink vulnerability. Fedora is not vulnerable in any default or common configurations. Read upstream last seen 2020-06-01 modified 2020-06-02 plugin id 25509 published 2007-06-14 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/25509 title Fedora Core 5 : spamassassin-3.1.9-1.fc5.1 (2007-584) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200606-09.NASL description The remote host is affected by the vulnerability described in GLSA-200606-09 (SpamAssassin: Execution of arbitrary code) When spamd is run with both the last seen 2020-06-01 modified 2020-06-02 plugin id 21702 published 2006-06-16 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/21702 title GLSA-200606-09 : SpamAssassin: Execution of arbitrary code
Oval
| accepted | 2013-04-29T04:18:25.849-04:00 | ||||||||||||
| class | vulnerability | ||||||||||||
| contributors |
| ||||||||||||
| definition_extensions |
| ||||||||||||
| description | SpamAssassin before 3.1.3, when running with vpopmail and the paranoid (-P) switch, allows remote attackers to execute arbitrary commands via a crafted message that is not properly handled when invoking spamd with the virtual pop username. | ||||||||||||
| family | unix | ||||||||||||
| id | oval:org.mitre.oval:def:9184 | ||||||||||||
| status | accepted | ||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||
| title | SpamAssassin before 3.1.3, when running with vpopmail and the paranoid (-P) switch, allows remote attackers to execute arbitrary commands via a crafted message that is not properly handled when invoking spamd with the virtual pop username. | ||||||||||||
| version | 26 |
Packetstorm
| data source | https://packetstormsecurity.com/files/download/82332/spamassassin_exec.rb.txt |
| id | PACKETSTORM:82332 |
| last seen | 2016-12-05 |
| published | 2009-10-28 |
| reporter | patrick |
| source | https://packetstormsecurity.com/files/82332/SpamAssassin-spamd-Remote-Command-Execution.html |
| title | SpamAssassin spamd Remote Command Execution |
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||
| rpms |
|
Saint
| bid | 18290 |
| description | SpamAssassin spamd vpopmail user vulnerability |
| id | mail_misc_spamassassin |
| osvdb | 26177 |
| title | spamassassin_spamd_vpopmail |
| type | remote |
Seebug
bulletinFamily exploit description No description provided by source. id SSV:18007 last seen 2017-11-19 modified 2006-06-06 published 2006-06-06 reporter Root source https://www.seebug.org/vuldb/ssvid-18007 title SpamAssassin spamd <= 3.1.3 Command Injection bulletinFamily exploit description No description provided by source. id SSV:71412 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-71412 title SpamAssassin spamd Remote Command Execution bulletinFamily exploit description No description provided by source. id SSV:66969 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-66969 title SpamAssassin spamd <= 3.1.3 - Command Injection
References
- http://secunia.com/advisories/20430
- http://secunia.com/advisories/20443
- http://secunia.com/advisories/20482
- http://secunia.com/advisories/20531
- http://secunia.com/advisories/20566
- http://secunia.com/advisories/20692
- http://securitytracker.com/id?1016230
- http://securitytracker.com/id?1016235
- http://www.debian.org/security/2006/dsa-1090
- http://www.gentoo.org/security/en/glsa/glsa-200606-09.xml
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:103
- http://www.nabble.com/ANNOUNCE%3A-Apache-SpamAssassin-3.1.3-available%21-t1736096.html
- http://www.redhat.com/support/errata/RHSA-2006-0543.html
- http://www.securityfocus.com/archive/1/436288/100/0/threaded
- http://www.securityfocus.com/bid/18290
- http://www.trustix.org/errata/2006/0034/
- http://www.vupen.com/english/advisories/2006/2148
- https://exchange.xforce.ibmcloud.com/vulnerabilities/27008
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9184