|
Brought to you by:
Suppliers of:
|
|
|
| |
DSPAM is "an advanced anti-spam solution compatible with most UNIX email server implementations. DSPAM combines deobfuscation techniques, token chains, and Bayesian statistical analysis to create a very effective anti-spam engine capable of teaching itself. DSPAM masquerades as the system's local delivery agent and performs analysis on a per-user basis".
Due to the default permissions set by the product, it is possible for a local attacker to gain elevated privileges by executing the DSPAM program from the command line (the privileges given to the DSPAM product). |
| |
Credit:
The information has been provided by Jonathan A. Zdziarski.
|
| |
Vulnerable systems:
* DSPAM version 2.6.5
* DSPAM version 2.6.5.1
Immune systems:
* DSPAM version 2.6.5.2
* DSPAM version 2.7.0.beta.3
In order for the DSPAM agent to function correctly, when called by the quarantine CGI or by some MTAs that drop privileges prior to calling dspam, the dspam agent must be setgid to have access to its own data. In most installations, DSPAM runs under the group 'mail'.
DSPAM v2.6.5 introduced a new feature providing the ability to change the delivery agent and quarantine agents via command line. Due to the default installation permissions of DSPAM, however, this functionality was provided to any users capable of executing the DSPAM agent enabling them to run commands in this new group.
Solution:
Unset the world-execute bit of the DSPAM agent's file permissions, or upgrade to v2.6.5.2. Alternatively, users that are more daring may try v2.7.0.beta.3, which incorporates trusted user security.
|
|
|
|
|
