[Dovecot] Security Hole in 1.0.13?
Timo Sirainen
tss at iki.fi
Sun May 18 12:45:12 EEST 2008
On Sun, 2008-05-18 at 13:52 +0800, Lawrence Sheed wrote:
It would be helpful to have some more information, such as:
> If I run dovecot for a while, I see a /var/run/dotvecot folder created
> with the following:
>
> drwxr-xr-x 3 root root 4096 2008-05-18 13:30 dotvecot
..
> I've tried removing any dovecot remnants and reinstalling from the
> 1.0.13 tar.gz from the site.
> After starting dovecot again after a few minutes the files appear.
Even if you change base_dir back to /var/run/dovecot? What if you unplug
the network, does it still come back too?
> The processes are running something on 6243 and 6244
netstat -ln don't show them? That would mean the attacker gained root
access, which is very unlikely to have happened directly through Dovecot
(but getting non-root via Dovecot -> root via some other exploit is
possible of course).
> passdb vpopmail {
> #args =
> }
vpopmail would be one possibility, I have some doubts about its
security.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20080518/169363b9/attachment.bin
More information about the dovecot
mailing list