[exim-announce] Security: Dovecot integration, exploit in wi…

Top Page

Reply to this message
Author: Phil Pennock
To: exim-announce
Subject: [exim-announce] Security: Dovecot integration, exploit in wild

Until fairly recently, the Dovecot documentation proposed an Exim
configuration sample which resulted in insecure Exim configurations.
We're told that there are now automated exploits available for at least
one common exploit framework.

If you have configured Exim to work with Dovecot, it's good to check
that you're up-to-date with their recommended configuration. If you
haven't, but grep'ing your Exim configure file shows the presence of
"use_shell", then now is a good time to review.

$ fgrep use_shell -- $(exim -bP configure_file)

It's unfortunate that we're in a situation where even mail experts who
work on another mail product can so inadvertently create a security

Exim's original author (Philip Hazel) deliberately made sure that Exim
does not use the shell by default, so that arbitrary content in a
sender's address can not be injected for shell parsing. This work on
his part was explicitly to protect against this kind of attack.

Alas, while the use_shell documentation warned of the issues, the
Security Considerations section of the documentation did not reference
this, so folks may not have caught the full implications during any
security review of their configurations.

We have since updated the documentation for the next release of Exim to
include a "Running local commands" section in the "Security
considerations" chapter, referencing this and other items of concern.
I have included a rendering of this to plain text below, for your

The use_shell option, while dangerous, does have legitimate uses and we
can't remove the facility. It remains something that does have to be
explicitly enabled in configuration and the default behaviour of Exim
does protect against this kind of attack.

PLEASE: review your configurations, in light of the points below, to
better protect yourselves.

Thank you for your attention,
- -Phil Pennock, pp The Exim Maintainers.


New documentation; commit:

As plain text:
- ----------------------------8< cut here >8------------------------------
54.5 Running local commands
- ---------------------------

There are a number of ways in which an administrator can configure Exim to run
commands based upon received, untrustworthy, data. Further, in some
configurations a user who can control a .forward file can also arrange to run
commands. Configuration to check includes, but is not limited to:

  * Use of use_shell in the pipe transport: various forms of shell command
    injection may be possible with this option present. It is dangerous and
    should be used only with considerable caution. Consider constraints which
    whitelist allowed characters in a variable which is to be used in a pipe
    transport that has use_shell enabled.

  * A number of options such as forbid_filter_run, forbid_filter_perl, 
    forbid_filter_dlfunc and so forth which restrict facilities available to
    .forward files in a redirect router. If Exim is running on a central mail
    hub to which ordinary users do not have shell access, but home directories
    are NFS mounted (for instance) then administrators should review the list
    of these forbid options available, and should bear in mind that the options
    that may need forbidding can change as new features are added between

  * The ${run...} expansion item does not use a shell by default, but
    administrators can configure use of /bin/sh as part of the command. Such
    invocations should be viewed with prejudicial suspicion.

  * Administrators who use embedded Perl are advised to explore how Perl's
    taint checking might apply to their usage.

  * Use of ${expand...} is somewhat analagous to shell's eval builtin and
    administrators are well advised to view its use with suspicion, in case
    (for instance) it allows a local-part to contain embedded Exim directives.

  * Use of ${match_local_part...} and friends becomes more dangerous if Exim
    was built with EXPAND_LISTMATCH_RHS defined: the second string in each can
    reference arbitrary lists and files, rather than just being a list of
    opaque strings. The EXPAND_LISTMATCH_RHS option was added and set false by
    default because of real-world security vulnerabilities caused by its use
    with untrustworthy data injected in, for SQL injection attacks. Consider
    the use of the inlisti expansion condition instead.

- ----------------------------8< cut here >8------------------------------