Xanda's Blog !~!

SpamAssassin Milter Plugin ‘mlfi_envrcpt()’ Remote Arbitrary Command Injection Vulnerability


Can you spot the security bug? 🙂

mlfi_envrcpt(SMFICTX* ctx, char** envrcpt)
  struct context *sctx = (struct context*)smfi_getpriv(ctx);
  SpamAssassin* assassin = sctx->assassin;
  FILE *p;
#if defined(__FreeBSD__)
  int rv;
  debug(D_FUNC, "mlfi_envrcpt: enter");
  if (flag_expand)
  /* open a pipe to sendmail so we can do addressexpansion */
    char buf[1024];
    char *fmt="%s -bv \"%s\" 2>&1";
#if defined(HAVE_SNPRINTF)
    snprintf(buf, sizeof(buf)-1, fmt, SENDMAIL, envrcpt[0]);
    sprintf(buf, fmt, SENDMAIL, envrcpt[0]);
    debug(D_RCPT, "calling %s", buf);
#if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */
    rv = pthread_mutex_lock(&popen_mutex);
    if (rv)
      debug(D_ALWAYS, "Could not lock popen mutex: %s", strerror(rv));
    p = popen(buf, "r");
    if (!p)
      debug(D_RCPT, "popen failed(%s).  Will not expand aliases", strerror(errno));