SpamAssassin Milter Plugin ‘mlfi_envrcpt()’ Remote Arbitrary Command Injection Vulnerability

Posted: March 9th, 2010 | Author: | Filed under: IT Related | Tags: , , , | No Comments »

Can you spot the security bug? 🙂

mlfi_envrcpt(SMFICTX* ctx, char** envrcpt)
{
  struct context *sctx = (struct context*)smfi_getpriv(ctx);
  SpamAssassin* assassin = sctx->assassin;
  FILE *p;
#if defined(__FreeBSD__)
  int rv;
#endif
 
  debug(D_FUNC, "mlfi_envrcpt: enter");
 
  if (flag_expand)
  {
  /* open a pipe to sendmail so we can do addressexpansion */
 
    char buf[1024];
    char *fmt="%s -bv \"%s\" 2>&1";
 
#if defined(HAVE_SNPRINTF)
    snprintf(buf, sizeof(buf)-1, fmt, SENDMAIL, envrcpt[0]);
#else
    sprintf(buf, fmt, SENDMAIL, envrcpt[0]);
#endif
 
    debug(D_RCPT, "calling %s", buf);
 
#if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */
    rv = pthread_mutex_lock(&popen_mutex);
    if (rv)
    {
      debug(D_ALWAYS, "Could not lock popen mutex: %s", strerror(rv));
      abort();
    }
#endif
 
    p = popen(buf, "r");
    if (!p)
    {
      debug(D_RCPT, "popen failed(%s).  Will not expand aliases", strerror(errno));
      assassin->expandedrcpt.push_back(envrcpt[0]);