Nmap Development mailing list archives

Re: [NSE] Exim w/ Dovecot Remote Command Execution vulnerability

From: David Fifield <david () bamsoftware com>
Date: Mon, 6 May 2013 07:26:36 -0700

On Sun, May 05, 2013 at 10:16:36AM -0500, Paulino Calderon wrote:

Can I get some help testing this?

description = [[
Attempts to exploit a remote command execution vulnerability in
misconfigured Dovecot/Exim mail servers.

It is important to note that the mail server will not return the
output of the command. The mail server
also wont allow space characters but they can be replaced with
"${IFS}". Commands can also be
concatenated with "``". The script takes care of the conversion
automatically when setting the argument "cmd".

References:
* 
https://www.redteam-pentesting.de/en/advisories/rt-sa-2013-001/-exim-with-dovecot-typical-misconfiguration-leads-to-remote-command-execution
* http://immunityproducts.blogspot.mx/2013/05/how-common-is-common-exim-and-dovecot.html
* CVE not available yet
]]


I tried against a server that is apparently not vulnerable:

NSE: smtp-dovecot-exim-exec:Setting malicious MAIL FROM field to:nmap`uname`@example.com
NSE: smtp-dovecot-exim-exec:Cannot set recipient:SMTP: RCPT 550 relay not permitted

David Fifield
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[NSE] Exim w/ Dovecot Remote Command Execution vulnerability Paulino Calderon (May 05)
- Re: [NSE] Exim w/ Dovecot Remote Command Execution vulnerability David Fifield (May 06)