COMMAND
AMaViS virus scanner
SYSTEMS AFFECTED
Linux
PROBLEM
Chris McDonough found following. The AMaViS incoming-mail virus
scanning utility, available at
http://satan.oih.rwth-aachen.de/AMaViS/
for Linux has problems. What's the exploit. Send a message with
a virus-infected file attachment. Use something like
"`/sbin/reboot`@dummy.com" as your reply-to address in your MUA
when sending the message. When the AMaViS box receives the
message, it will go through its scripts, find the virus,
construct an email message to send back to the sender of the
virus-infected file... line 601+ in the "scanmails" script:
cat <<EOF| ${mail} -s "VIRUS IN YOUR MAIL TO $7" $2
V I R U S A L E R T
Our viruschecker found a VIRUS in your email to "$7".
We stopped delivery of this email!
Now it is on you to check your system for viruses
For further information about this viruschecker see:
http://aachalon.de/AMaViS/
AMaViS - A Mail Virus Scanner, licenced GPL
EOF
... the $2 expands to a shell command (e.g. "/sbin/reboot")
which runs as root.
To add insult to injury, Kurt Seifried attempted to contact
maintainer (also with no luck) about a nasty bug, when using
Sophos (and likely other anti virus software) AMaViS was not
picking up on the updates, that is the updated IDE files in
/opt/ide, and defined as SAV_IDE=/opt/ide were not being used by
AMaViS, however from the command line, using the "sweep" command
they were picked up fine, this means AMaViS doesn't generally
pick up on BO2K, etc. Perhaps a new maintainer (an active one
anyways, with a pulse) is needed.
SOLUTION
To solve it, Juergen Quade created the following diff file. It
represents the difference between his "secured" and "insecure"
scanmails shell script file. Chris solved it differently, using
a procmail recipe, but this will work too:
--- scanmails.orig Wed Jun 30 12:54:02 1999
+++ scanmails Wed Jun 30 12:54:15 1999
@@ -122,6 +122,50 @@
deliver=/usr/bin/procmail
+###############################################################
+# Chris McDonough informed us, that it is possible to execute #
+# programs by sending an email, wich contains a virus and has #
+# as return address something like: #
+# `/sbin/reboot`@softing.com #
+# or #
+# $(/sbin/reboot)@softing.com #
+# The execution of the command (/sbin/reboot) is done by the #
+# "mail" program. Therefore we parse the arguments in order #
+# to substitute those characters to nothing #
+# #
+# Wed Jun 30 11:47:55 MEST 1999 #
+###############################################################
+
+# substitute all "`","$(",")" to nothing
+receiver=${7//\`/}
+receiver=${receiver//\$\(/}
+receiver=${receiver//\)/}
+
+sender=${2//\`/}
+sender=${sender//\$\(/}
+sender=${sender//\)/}
+
+if [ "$sender" != "$2" -o "$receiver" != "$7" ] ; then
+ cat <<EOF | ${mail} -s "Intrusion???" ${mailto}
+###############################################################
+# Chris McDonough informed us, that it is possible to execute #
+# programs by sending an email, wich contains a virus and has #
+# as return address something like: #
+# \`/sbin/rebbot\`@softing.com #
+# or #
+# \$\(/sbin/rebbot\)@softing.com #
+# The execution of the command (/sbin/rebbot) is done by the #
+# "mail" program. Therefore we parse the arguments in order #
+# to substitute those characters to nothing #
+# #
+# Wed Jun 30 11:47:55 MEST 1999 #
+###############################################################
+ $7 or $2 is not a valid Email address
+ (changed to $receiver and $sender)!
+EOF
+fi
+#
+
################################################
# main program #
# -------------- #
@@ -171,8 +215,8 @@
echo xxxxxxxxxxxxxxxxxx`date`xxxxxxxxxxxxxxxxxxxxxxx >
${tmpdir}/logfile
echo ${scanscriptname} called $* >>${tmpdir}/logfile
-echo FROM: $2 >>/${tmpdir}/logfile
-echo TO: $7 >>/${tmpdir}/logfile
+echo FROM: $sender >>/${tmpdir}/logfile
+echo TO: $receiver >>/${tmpdir}/logfile
${metamail} -r -q -x -w ${tmpdir}/receivedmail > /dev/null 2>&1
@@ -597,11 +641,11 @@
################### send a mail back to sender
######################
-cat <<EOF| ${mail} -s "VIRUS IN YOUR MAIL TO $7" $2
+cat <<EOF| ${mail} -s "VIRUS IN YOUR MAIL TO $receiver"
$sender
V I R U S A L E R T
- Our viruschecker found a VIRUS in your email to "$7".
+ Our viruschecker found a VIRUS in your email to
"$receiver".
We stopped delivery of this email!
Now it is on you to check your system for viruses
@@ -614,12 +658,12 @@
############### send a mail to the addressee ########################
-cat <<EOF| ${mail} -s "VIRUS IN A MAIL FOR YOU FROM $2" $7
+cat <<EOF| ${mail} -s "VIRUS IN A MAIL FOR YOU FROM
$sender" $receiver
V I R U S A L E R T
Our viruschecker found a VIRUS in a mail from
- "$2"
+ "$sender"
to you.
Delivery of the email was stopped!
The AMaViS diff is placed at following address as this one may be
messed up:
http://sharon.iqgroup.com/scanmails.patch
AMaViS 0.2.0-pre5 has been released, which should fix the problem
using (slightly modified) patch...
The solution to the other problem is simple -- wrap SWEEP [the
Sophos scanner] in a shell script which sets SAV_IDE before
running the SWEEP binary.