The AMaViS incoming-mail virus scanning utility (available at http://satan.oih.rwth-aachen.de/AMaViS/) for Linux has problems. I tried to contact the maintainer of the package (Christian Bricart) on June 26, again several times over the course of the last month, but I have not received anything from him and the AMaViS website does not yet acknowledge the problem or provide a fix. However, on Jun 30, co-contributors to the package (Juergen Quade and Mogens Kjaer) responded quickly with an acknowledgement of the problem and a few fixes. Because the co-authors do not maintain the downloadable package, however, the latest downloadable version of AMaViS (0.2.0-pre4 and possibly earlier) still has a bug which allows remote users to send arbitrary commands as root to a Linux machine running the AMaViS scripts. Exploit: Send a message with a virus-infected file attachment. Use something like "`/sbin/reboot`@dummy.com" as your reply-to address in your MUA when sending the message. When the AMaViS box receives the message, it will go through its scripts, find the virus, construct an email message to send back to the sender of the virus-infected file... line 601+ in the "scanmails" script: cat <<EOF| ${mail} -s "VIRUS IN YOUR MAIL TO $7" $2 V I R U S A L E R T Our viruschecker found a VIRUS in your email to "$7". We stopped delivery of this email! Now it is on you to check your system for viruses For further information about this viruschecker see: http://aachalon.de/AMaViS/ AMaViS - A Mail Virus Scanner, licenced GPL EOF ... the $2 expands to a shell command (e.g. "/sbin/reboot") which runs as root. To solve it, Juergen Quade created the following diff file. It represents the difference between his "secured" and "insecure" scanmails shell script file. I solved it differently, using a procmail recipe, but this will work too: --- scanmails.orig Wed Jun 30 12:54:02 1999 +++ scanmails Wed Jun 30 12:54:15 1999 @@ -122,6 +122,50 @@ deliver=/usr/bin/procmail + ############################################################ ### +# Chris McDonough informed us, that it is possible to execute # +# programs by sending an email, wich contains a virus and has # +# as return address something like: # +# `/sbin/reboot`@softing.com # +# or # +# $(/sbin/reboot) @softing.com # +# The execution of the command (/sbin/reboot) is done by the # +# "mail" program. Therefore we parse the arguments in order # +# to substitute those characters to nothing # + # # +# Wed Jun 30 11:47:55 MEST 1999 # + ############################################################ ### + +# substitute all "`","$(",")" to nothing +receiver=${7//\`/} +receiver=${receiver//\$\(/} +receiver=${receiver//\)/} + +sender=${2//\`/} +sender=${sender//\$\(/} +sender=${sender//\)/} + +if [ "$sender" != "$2" -o "$receiver" != "$7" ] ; then + cat <<EOF | ${mail} -s "Intrusion???" ${mailto} + ############################################################ ### +# Chris McDonough informed us, that it is possible to execute # +# programs by sending an email, wich contains a virus and has # +# as return address something like: # +# \`/sbin/rebbot\`@softing.com # +# or # +# \$\(/sbin/rebbot\) @softing.com # +# The execution of the command (/sbin/rebbot) is done by the # +# "mail" program. Therefore we parse the arguments in order # +# to substitute those characters to nothing # + # # +# Wed Jun 30 11:47:55 MEST 1999 # + ############################################################ ### + $7 or $2 is not a valid Email address + (changed to $receiver and $sender)! +EOF +fi +# + ################################################ # main program # # -------------- # @@ -171,8 +215,8 @@ echo xxxxxxxxxxxxxxxxxx`date`xxxxxxxxxxxxxxxxxxxxxxx > ${tmpdir}/logfile echo ${scanscriptname} called $* >>${tmpdir}/logfile -echo FROM: $2 >>/${tmpdir}/logfile -echo TO: $7 >>/${tmpdir}/logfile +echo FROM: $sender >>/${tmpdir}/logfile +echo TO: $receiver >>/${tmpdir}/logfile ${metamail} -r -q -x -w ${tmpdir}/receivedmail > /dev/null 2>&1 @@ -597,11 +641,11 @@ ################### send a mail back to sender ###################### -cat <<EOF| ${mail} -s "VIRUS IN YOUR MAIL TO $7" $2 +cat <<EOF| ${mail} -s "VIRUS IN YOUR MAIL TO $receiver" $sender V I R U S A L E R T - Our viruschecker found a VIRUS in your email to "$7". + Our viruschecker found a VIRUS in your email to "$receiver". We stopped delivery of this email! Now it is on you to check your system for viruses @@ -614,12 +658,12 @@ ############### send a mail to the addressee ######################## -cat <<EOF| ${mail} -s "VIRUS IN A MAIL FOR YOU FROM $2" $7 +cat <<EOF| ${mail} -s "VIRUS IN A MAIL FOR YOU FROM $sender" $receiver V I R U S A L E R T Our viruschecker found a VIRUS in a mail from - "$2" + "$sender" to you. Delivery of the email was stopped!
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:52:33 PDT