[Dovecot] Security Hole in 1.0.13?

Lawrence Sheed lawrence at computersolutions.cn
Sun May 18 08:52:43 EEST 2008 

I'm running 1.0.13

If I run dovecot for a while, I see a /var/run/dotvecot folder created  
with the following:

drwxr-xr-x  3 root        root        4096 2008-05-18 13:30 dotvecot


drwxr-xr-x  3 root root    4096 2008-05-18 13:47 .
drwxr-xr-x 18 root root    4096 2008-05-18 13:47 ..
srw-------  1 root root       0 2008-05-18 13:47 auth-worker.15138
srwxrwxrwx  1 root root       0 2008-05-18 13:47 dict-server
drwxr-x---  2 root dovecot 4096 2008-05-18 13:47 login
-rw-------  1 root root       6 2008-05-18 13:47 master.pid

It appears to be created  by imap-login


I've tried removing any dovecot remnants and reinstalling from the  
1.0.13 tar.gz from the site.
After starting dovecot again after a few minutes the files appear.


The processes are running something on 6243 and 6244

(Presumably an exploit / login)

I have iptables setup to only allow existing ports in/out so I think  
thats saved me so far.

I've switched to courier-imap in the interim.

Anyone want to assist in finding out how they are getting in?

Definitely dovecot related.  If I don't run dovecot, seems secure.  As  
soon as I run dovecot, after a few minutes - rooted...


dovecot.conf

cat /etc/dovecot/dovecot.conf
base_dir = /var/run/dotvecot
protocols = imap imaps
listen = *
disable_plaintext_auth = no
shutdown_clients = yes
syslog_facility = local7          #<-- Ensure this is set up in syslog  
conf
ssl_disable = no

login_max_processes_count = 128
login_max_connections = 256
login_greeting =  K-Tex IMAP Server               # <-- CUSTOMISE  
FORYOUR SITE
login_process_size = 64
login_process_per_connection = yes
login_processes_count = 16


ssl_cert_file = /var/qmail/control/servercert.pem # /usr/local/etc/ssl/ 
italy1-cert.pem
ssl_key_file =/var/qmail/control/clientcert.pem   # /usr/local/etc/ssl/ 
italy1.pem


first_valid_uid = 89
first_valid_gid = 89

protocol imap {
        listen = *:143
        ssl_listen = *:993
  #mail_plugins = quota imap_quota
  #login_greeting_capability = no
        mail_plugin_dir = /usr/local/lib/dovecot/imap
  imap_client_workarounds = outlook-idle
}


auth_process_size = 512
auth_cache_size = 512
auth_cache_ttl = 3600
auth default {
  mechanisms = plain

  # vpopmail authentication
  passdb vpopmail {
    #args =
  }

  # vpopmail
  userdb vpopmail {
  }

  user = root
}

dict {
  #quota = mysql:/etc/dovecot-dict-quota.conf
}

plugin {
  quota = maildir
}

namespace private {
   prefix = INBOX.
   inbox = yes
}

More information about the dovecot mailing list