On 2023-01-14 at 17:33 +0200, Mary wrote: > Thank you, I'll take a closer look, because Shellshock implies that > somehow the SMTPD executes a bash script, which I find highly > unlikely. That is why I thought they are trying to exploit something > further down the pipeline (Logstash, Prometheus, etc).
The command is a normal shellshock payload. It would seems to target the case where the mail server or an MDA sets an environment variable with the MAIL FROM value and then executes a command through bash. This could be the execution of a milter, a procmail... courier also extensively uses environment variables between their programs. The most difficult part is that a bash shell is executed... being an old version which not patched for this 2014 vulnerability. _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
