On 26 Sep 2014, at 11:46, Joseph Tam <[email protected]> wrote:
> On Fri, 26 Sep 2014, Stephan Bosch wrote:
>
>> I don't see much of an attack vector there either. However, there are
>> some people that have wrapped /usr/sbin/sendmail in a shell script to
>> achieve some sort of custom messaging behavior. Those would be vulnerable.
>>
>> Another possibility for trouble would be systems using the Pigeonhole
>> extprograms plugin with shell scripts.
>
> Although I don't use it, it's plausible the checkpassword hook is also
> vulnerable
> via the MASTER_USER environment variable:
>
> http://wiki2.dovecot.org/AuthDatabase/CheckPassword
This is one possibility, and it's the worst one because it could happen before
login. But it requires two things:
1. auth_username_chars setting must include the characters required in the
exploit, so "(){;" at least I guess. None of these characters are enabled by
default. But I think some people may have set this setting to empty to allow
all characters.
2. checkpassword must call bash, which also isn't done by default.
Another possibility is is that in some setups the password (%w) may be added to
userdb fields, which ends up being exported to environment if post-login
scripts are used. Again Dovecot doesn't execute shell automatically, but it may
end up being executed by the configuration. So this requires a valid username +
password, and ability to change the password to the bash exploit.
