ID CVE-2006-2447
Summary SpamAssassin before 3.1.3, when running with vpopmail and the paranoid (-P) switch, allows remote attackers to execute arbitrary commands via a crafted message that is not properly handled when invoking spamd with the virtual pop username.
References
Vulnerable Configurations
  • Apache Software Foundation SpamAssassin 3.1.0
    cpe:2.3:a:apache:spamassassin:3.1.0
  • Apache Software Foundation SpamAssassin 3.1.1
    cpe:2.3:a:apache:spamassassin:3.1.1
  • Apache Software Foundation SpamAssassin 3.1.2
    cpe:2.3:a:apache:spamassassin:3.1.2
CVSS
Base: 5.1 (as of 07-06-2006 - 08:13)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK HIGH NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
exploit-db via4
  • description SpamAssassin spamd Remote Command Execution. CVE-2006-2447. Remote exploit for linux platform
    id EDB-ID:16920
    last seen 2016-02-02
    modified 2010-04-30
    published 2010-04-30
    reporter metasploit
    source https://www.exploit-db.com/download/16920/
    title SpamAssassin spamd Remote Command Execution
  • description SpamAssassin spamd. CVE-2006-2447. Remote exploit for unix platform
    id EDB-ID:9914
    last seen 2016-02-01
    modified 2006-06-06
    published 2006-06-06
    reporter patrick
    source https://www.exploit-db.com/download/9914/
    title SpamAssassin spamd <= 3.1.3 - Command Injection
metasploit via4
description This module exploits a flaw in the SpamAssassin spamd service by specifying a malicious vpopmail User header, when running with vpopmail and paranoid modes enabled (non-default). Versions prior to v3.1.3 are vulnerable
id MSF:EXPLOIT/UNIX/MISC/SPAMASSASSIN_EXEC
last seen 2018-10-08
modified 2017-11-08
published 2008-07-19
reliability Excellent
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/misc/spamassassin_exec.rb
title SpamAssassin spamd Remote Command Execution
nessus via4
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2007-584.NASL
    description Local symlink vulnerability. Fedora is not vulnerable in any default or common configurations. Read upstream's announcement for details. http://spamassassin.apache.org/advisories/CVE-2007-2873.txt Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-24
    plugin id 25509
    published 2007-06-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25509
    title Fedora Core 5 : spamassassin-3.1.9-1.fc5.1 (2007-584)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SPAMASSASSIN-1904.NASL
    description This update fixes the following security problem in SpamAssassin : - CVE-2006-2447: SpamAssassin when running with vpopmail and the paranoid (-P) switch, allows remote attackers to execute arbitrary commands via a crafted message that is not properly handled when invoking spamd with the virtual pop username. At the same time we upgraded SpamAssassin to version 3.1.3, bringing lots of bug fixes and new rules. Please make sure you verify that it still works with your configuration. Also included is now 'sa-update', a rule update script. For this script to work make sure that the perl-IO-ZLib and perl-libwww-perl packages are installed.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27449
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27449
    title openSUSE 10 Security Update : spamassassin (spamassassin-1904)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2006-103.NASL
    description A flaw was discovered in the way that spamd processes the virtual POP usernames passed to it. If running with the --vpopmail and --paranoid flags, it is possible for a remote user with the ability to connect to the spamd daemon to execute arbitrary commands as the user running spamd. By default, the Spamassassin packages do not start spamd with either of these flags and this usage is uncommon. The updated packages have been patched to correct this issue.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 21718
    published 2006-06-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21718
    title Mandrake Linux Security Advisory : spamassassin (MDKSA-2006:103)
  • NASL family Gain a shell remotely
    NASL id SPAMD_VPOPMAIL_CMD_EXEC.NASL
    description The remote host is running spamd, a daemon belonging to SpamAssassin and used to determine whether messages represent spam. The installed version of spamd on the remote host appears to allow an unauthenticated user to execute arbitrary commands, subject to the privileges of the user under which it operates.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 21673
    published 2006-06-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21673
    title SpamAssassin spamd Crafted Message Arbitrary Command Execution
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2007-242.NASL
    description This upgrades to version 3.1.8, which fixes some bugs and CVE-2007-0451 Malformed HTML Denial of Service. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-21
    plugin id 24361
    published 2007-02-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24361
    title Fedora Core 5 : spamassassin-3.1.8-1.fc5 (2007-242)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1090.NASL
    description A vulnerability has been discovered in SpamAssassin, a Perl-based spam filter using text analysis, that can allow remote attackers to execute arbitrary commands. This problem only affects systems where spamd is reachable via the internet and used with vpopmail virtual users, via the '-v' / '--vpopmail' switch, and with the '-P' / '--paranoid' switch which is not the default setting on Debian.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 22632
    published 2006-10-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22632
    title Debian DSA-1090-1 : spamassassin - programming error
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200606-09.NASL
    description The remote host is affected by the vulnerability described in GLSA-200606-09 (SpamAssassin: Execution of arbitrary code) When spamd is run with both the '--vpopmail' (-v) and '--paranoid' (-P) options, it is vulnerable to an unspecified issue. Impact : With certain configuration options, a local or even remote attacker could execute arbitrary code with the rights of the user running spamd, which is root by default, by sending a crafted message to the spamd daemon. Furthermore, the attack can be remotely performed if the '--allowed-ips' (-A) option is present and specifies non-local adresses. Note that Gentoo Linux is not vulnerable in the default configuration. Workaround : Don't use both the '--paranoid' (-P) and the '--vpopmail' (-v) options.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 21702
    published 2006-06-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21702
    title GLSA-200606-09 : SpamAssassin: Execution of arbitrary code
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2006-0543.NASL
    description Updated spamassassin packages that fix an arbitrary code execution flaw are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. SpamAssassin provides a way to reduce unsolicited commercial email (SPAM) from incoming email. A flaw was found with the way the Spamassassin spamd daemon processes the virtual pop username passed to it. If a site is running spamd with both the --vpopmail and --paranoid flags, it is possible for a remote user with the ability to connect to the spamd daemon to execute arbitrary commands as the user running the spamd daemon. (CVE-2006-2447) Note: None of the IMAP or POP servers shipped with Red Hat Enterprise Linux 4 support vpopmail delivery. Running spamd with the --vpopmail and --paranoid flags is uncommon and not the default startup option as shipped with Red Hat Enterprise Linux 4. Spamassassin, as shipped in Red Hat Enterprise Linux 4, performs RBL lookups against visi.com to help determine if an email is spam. However, this DNS RBL has recently disappeared, resulting in mail filtering delays and timeouts. Users of SpamAssassin should upgrade to these updated packages containing version 3.0.6 and backported patches, which are not vulnerable to these issues.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 21672
    published 2006-06-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21672
    title RHEL 4 : spamassassin (RHSA-2006:0543)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2006-598.NASL
    description 3.1.3 Resolves CVE-2006-2447. Note that you are affected by this bug only if you launched spamd with both --vpopmail and --paranoid, which is not a common configuration. Also included are bug fixes from 3.1.2. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 24118
    published 2007-01-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24118
    title Fedora Core 5 : spamassassin-3.1.3-1.fc5 (2006-598)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2006-0543.NASL
    description Updated spamassassin packages that fix an arbitrary code execution flaw are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. SpamAssassin provides a way to reduce unsolicited commercial email (SPAM) from incoming email. A flaw was found with the way the Spamassassin spamd daemon processes the virtual pop username passed to it. If a site is running spamd with both the --vpopmail and --paranoid flags, it is possible for a remote user with the ability to connect to the spamd daemon to execute arbitrary commands as the user running the spamd daemon. (CVE-2006-2447) Note: None of the IMAP or POP servers shipped with Red Hat Enterprise Linux 4 support vpopmail delivery. Running spamd with the --vpopmail and --paranoid flags is uncommon and not the default startup option as shipped with Red Hat Enterprise Linux 4. Spamassassin, as shipped in Red Hat Enterprise Linux 4, performs RBL lookups against visi.com to help determine if an email is spam. However, this DNS RBL has recently disappeared, resulting in mail filtering delays and timeouts. Users of SpamAssassin should upgrade to these updated packages containing version 3.0.6 and backported patches, which are not vulnerable to these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 21999
    published 2006-07-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21999
    title CentOS 4 : spamassassin (CESA-2006:0543)
oval via4
accepted 2013-04-29T04:18:25.849-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
description SpamAssassin before 3.1.3, when running with vpopmail and the paranoid (-P) switch, allows remote attackers to execute arbitrary commands via a crafted message that is not properly handled when invoking spamd with the virtual pop username.
family unix
id oval:org.mitre.oval:def:9184
status accepted
submitted 2010-07-09T03:56:16-04:00
title SpamAssassin before 3.1.3, when running with vpopmail and the paranoid (-P) switch, allows remote attackers to execute arbitrary commands via a crafted message that is not properly handled when invoking spamd with the virtual pop username.
version 23
packetstorm via4
data source https://packetstormsecurity.com/files/download/82332/spamassassin_exec.rb.txt
id PACKETSTORM:82332
last seen 2016-12-05
published 2009-10-28
reporter patrick
source https://packetstormsecurity.com/files/82332/SpamAssassin-spamd-Remote-Command-Execution.html
title SpamAssassin spamd Remote Command Execution
redhat via4
advisories
bugzilla
id 193865
title CVE-2006-2447 spamassassin arbitrary command execution
oval
AND
comment Red Hat Enterprise Linux 4 is installed
oval oval:com.redhat.rhsa:tst:20060016001
rhsa
id RHSA-2006:0543
released 2006-06-06
severity Moderate
title RHSA-2006:0543: spamassassin security update (Moderate)
refmap via4
bid 18290
bugtraq 20060607 rPSA-2006-0096-1 spamassassin
confirm http://www.nabble.com/ANNOUNCE%3A-Apache-SpamAssassin-3.1.3-available%21-t1736096.html
debian DSA-1090
gentoo GLSA-200606-09
mandriva MDKSA-2006:103
sectrack
  • 1016230
  • 1016235
secunia
  • 20430
  • 20443
  • 20482
  • 20531
  • 20566
  • 20692
trustix 2006-0034
vupen ADV-2006-2148
xf spamassassin-spamd-command-execution(27008)
saint via4
bid 18290
description SpamAssassin spamd vpopmail user vulnerability
id mail_misc_spamassassin
osvdb 26177
title spamassassin_spamd_vpopmail
type remote
Last major update 07-04-2011 - 00:00
Published 06-06-2006 - 17:06
Last modified 18-10-2018 - 12:40
Back to Top