On 7 Jun 2013, at 14:35, Cyborg <cyborg2@???> wrote:
> someone posted an exploit on packetstorm, which should not work at all ( and does not on an actual exim )
>
> [root@vpn ~]# nc 127.0.0.1 25
> 220 locahost ESMTP Exim 4.76 Fri, 07 Jun 2013 15:28:45 +0200
> HELO localhost
> 250 localhost Hello localhost [127.0.0.1]
> MAIL FROM: x`ls -la >/tmp/test`@???
> 501 x`ls -la >/tmp/test`@???: missing or malformed local part (expected word or "<")
>
> Was this a security risk ever, or did they just wanne have theire five minutes ?
Er…
http://packetstormsecurity.com/files/121913/Exim-sender_address-Remote-Command-Execution.html
Taken literally, it doesn't work as the MAIL FROM: command is syntactically invalid.
However, if you look at the python code at the above URI, you'll see something important:
"
http://rdtx.eu/exim-with-dovecot-lda-rce-exploit/"
So this is trying to exploit the previously discovered vulnerability using Dovecot. This was a configuration error in the Dovecot wiki, which has been rectified (2nd May). The detail of that was the the previous example used "use_shell", which we document as being "inherently insecure".
Graeme
