Chris McDonough posted
to the SecurityFocus
mailing list:
The AMaViS incoming-mail virus scanning utility (available at
http://satan.oih.rwth-aachen.de/AMaViS/)
for Linux has problems.
I tried to contact the maintainer of the package (Christian
Bricart) on June 26, again several times over the course of the
last month, but I have not received anything from him and the
AMaViS website does not yet acknowledge the problem or provide a
fix. However, on Jun 30, co-contributors to the package (Juergen
Quade and Mogens Kjaer) responded quickly with an acknowledgement
of the problem and a few fixes. Because the co-authors do not
maintain the downloadable package, however, the latest downloadable
version of AMaViS (0.2.0-pre4 and possibly earlier) still has a bug
which allows remote users to send arbitrary commands as root to a
Linux machine running the AMaViS scripts.
Exploit:
Send a message with a virus-infected file attachment. Use
something like “`/sbin/reboot`@dummy.com” as your reply-to address
in your MUA when sending the message. When the AMaViS box receives
the message, it will go through its scripts, find the virus,
construct an email message to send back to the sender of the
virus-infected file… line 601+ in the “scanmails” script:
cat <<EOF| ${mail} -s "VIRUS IN YOUR MAIL TO $7" $2 V I R U S A L E R T Our viruschecker found a VIRUS in your email to "$7". We stopped delivery of this email! Now it is on you to check your system for viruses For further information about this viruschecker see: http://aachalon.de/AMaViS/ AMaViS - A Mail Virus Scanner, licenced GPL EOF
… the $2 expands to a shell command (e.g. “/sbin/reboot”)
which runs as root.