On 7 Jun 2013, at 14:35, Cyborg <[email protected]> wrote: > someone posted an exploit on packetstorm, which should not work at all ( and > does not on an actual exim ) > > [root@vpn ~]# nc 127.0.0.1 25 > 220 locahost ESMTP Exim 4.76 Fri, 07 Jun 2013 15:28:45 +0200 > HELO localhost > 250 localhost Hello localhost [127.0.0.1] > MAIL FROM: x`ls -la >/tmp/test`@me.de > 501 x`ls -la >/tmp/test`@me.de: missing or malformed local part (expected > word or "<") > > Was this a security risk ever, or did they just wanne have theire five > minutes ?
Er… http://packetstormsecurity.com/files/121913/Exim-sender_address-Remote-Command-Execution.html Taken literally, it doesn't work as the MAIL FROM: command is syntactically invalid. However, if you look at the python code at the above URI, you'll see something important: "http://rdtx.eu/exim-with-dovecot-lda-rce-exploit/"; So this is trying to exploit the previously discovered vulnerability using Dovecot. This was a configuration error in the Dovecot wiki, which has been rectified (2nd May). The detail of that was the the previous example used "use_shell", which we document as being "inherently insecure". Graeme -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
