Re: [exim] someone posted an none working exploit for exim

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Graeme Fowler
Date:  
À: exim-users
Sujet: Re: [exim] someone posted an none working exploit for exim
On 7 Jun 2013, at 14:35, Cyborg <cyborg2@???> wrote:
> someone posted an exploit on packetstorm, which should not work at all ( and does not on an actual exim )
>
> [root@vpn ~]# nc 127.0.0.1 25
> 220 locahost ESMTP Exim 4.76 Fri, 07 Jun 2013 15:28:45 +0200
> HELO localhost
> 250 localhost Hello localhost [127.0.0.1]
> MAIL FROM: x`ls -la >/tmp/test`@???
> 501 x`ls -la >/tmp/test`@???: missing or malformed local part (expected word or "<")
>
> Was this a security risk ever, or did they just wanne have theire five minutes ?


Er…

http://packetstormsecurity.com/files/121913/Exim-sender_address-Remote-Command-Execution.html

Taken literally, it doesn't work as the MAIL FROM: command is syntactically invalid.

However, if you look at the python code at the above URI, you'll see something important:

"http://rdtx.eu/exim-with-dovecot-lda-rce-exploit/"

So this is trying to exploit the previously discovered vulnerability using Dovecot. This was a configuration error in the Dovecot wiki, which has been rectified (2nd May). The detail of that was the the previous example used "use_shell", which we document as being "inherently insecure".

Graeme