One of our readers wrote in to let us know that he had received an attempted Exim/Dovecot exploit attempt against his email server. The exploit partially looked like this:
(Obviously edited for your safety, and I didn't post the whole thing.) This is an exploit against Dovecot that is using the feature "use_shell" against itself. This feature, unfortunately, is found in the example wiki on Dovecot's website, and also in their example configuration. We'd caution anyone that is using Dovecot to take a look at their configuration and make use they aren't using the "use_shell" parameter. Or if you are, make darn sure you know what you are doing, and how to defend yourself. -- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler |
Joel 454 Posts Jun 7th 2013 |
Thread locked Subscribe |
Jun 7th 2013 8 years ago |
To be clear, this is about configurations using dovecot as a LDA, and it's actually the exim config to enable that which has the 'use_shell' issue. So if you're checking it should be /etc/exim4/exim4.conf, or similar, that you look at, not the dovecot config!
|
Athanasius 9 Posts |
Quote |
Jun 7th 2013 8 years ago |
This must have been going on for some time, as I recall seeing an example of this some weeks ago. It actually got delivered to an administrator account like postmaster@ and seemed like spam at first glance. Unfortunately I can't find a sample of this now. I didn't realise at the time what it was trying to exploit; I'd thought it was maybe something to do with mail sieve/filters like procmail.
|
Steven C. 171 Posts |
Quote |
Jun 7th 2013 8 years ago |
Sign Up for Free or Log In to start participating in the conversation!