Re: [exim] Exim with Dovecot: Typical Misconfiguration Leads…

Top Pagina
Delete this message
Reply to this message
Auteur: Jan Ingvoldstad
Datum:  
Aan: exim-users
Onderwerp: Re: [exim] Exim with Dovecot: Typical Misconfiguration Leads to Remote Command Execution
On Tue, May 7, 2013 at 11:20 AM, Graeme Fowler <graeme@???> wrote:

>
> I'm slightly late to the list party on this one as I've been running
> after errant racing cars all weekend, but (as I commented on the G+
> thread for this) the default configuration's RCPT ACL would reject an
> inbound email address containing backticks as being invalid.
>
> This does not absolve the "use_shell" option of its risk, but does
> mitigate it somewhat.
>


Not really, if the shell handling is POSIX compliant, then command
substitution can also happen with the $() construct.

This is just as dangerous, and permits nesting of shell commands.

The characters $() are not rejected, unless I am mistaken:

http://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_default_configuration_file.html

I have not tested if use_shell etc. permits remote code execution when this
command substitution construct is used, so I may have missed something.
--
Jan