[Dovecot] Security Hole in 1.0.13?

Odhiambo Washington odhiambo at gmail.com
Sun May 18 09:54:29 EEST 2008 

On Sun, May 18, 2008 at 8:52 AM, Lawrence Sheed <
lawrence at computersolutions.cn> wrote:

> I'm running 1.0.13
>
> If I run dovecot for a while, I see a /var/run/dotvecot folder created with
> the following:
>
> drwxr-xr-x  3 root        root        4096 2008-05-18 13:30 dotvecot
>
>
> drwxr-xr-x  3 root root    4096 2008-05-18 13:47 .
> drwxr-xr-x 18 root root    4096 2008-05-18 13:47 ..
> srw-------  1 root root       0 2008-05-18 13:47 auth-worker.15138
> srwxrwxrwx  1 root root       0 2008-05-18 13:47 dict-server
> drwxr-x---  2 root dovecot 4096 2008-05-18 13:47 login
> -rw-------  1 root root       6 2008-05-18 13:47 master.pid
>
> It appears to be created  by imap-login
>
>
> I've tried removing any dovecot remnants and reinstalling from the 1.0.13
> tar.gz from the site.
> After starting dovecot again after a few minutes the files appear.
>

What is the problem according to you???
Excuse me for being blind to it if it is really there, but this appears okay
to me!
In your dovecot.conf, you have the following:

base_dir = /var/run/dotvecot

Given that it's actually your own typo putting that in place, how does that
constitute a security hole?:-)


>
> The processes are running something on 6243 and 6244


What are those? tcp ports??? pids??


>
> (Presumably an exploit / login)


Oh, how? Your question is simply not clear to me at all, but that could be
because I am not quite an security expert to see the obvious.



> I have iptables setup to only allow existing ports in/out so I think thats
> saved me so far.
>
> I've switched to courier-imap in the interim.
>
> Anyone want to assist in finding out how they are getting in?
>
> Definitely dovecot related.  If I don't run dovecot, seems secure.  As soon
> as I run dovecot, after a few minutes - rooted...


???

Lemme watch this in the periphery! I run dovecot-1.0.13 on over 20 hosts so
I could be "rooted" as well. However, my setups tell dovecot to listen to
ports 110 and 143 only and I have never observed anything strange.

Timo has some good amount of money to offer you if you could prove that
there is a security exploit, but I don't see you getting even 0.001% of that
amount just with the information you've provided here.
Aren't you just being paranoid?
Could you please provide more information that can make someone "see" what
you are scared of?


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

"Oh My God! They killed init! You Bastards!"
--from a /. post

More information about the dovecot mailing list