Nmap Development mailing list archives
Re: [NSE] Exim w/ Dovecot Remote Command Execution vulnerability
From: David Fifield <david () bamsoftware com>
Date: Mon, 6 May 2013 07:26:36 -0700
On Sun, May 05, 2013 at 10:16:36AM -0500, Paulino Calderon wrote:
Can I get some help testing this? description = [[ Attempts to exploit a remote command execution vulnerability in misconfigured Dovecot/Exim mail servers. It is important to note that the mail server will not return the output of the command. The mail server also wont allow space characters but they can be replaced with "${IFS}". Commands can also be concatenated with "``". The script takes care of the conversion automatically when setting the argument "cmd". References: * https://www.redteam-pentesting.de/en/advisories/rt-sa-2013-001/-exim-with-dovecot-typical-misconfiguration-leads-to-remote-command-execution * http://immunityproducts.blogspot.mx/2013/05/how-common-is-common-exim-and-dovecot.html * CVE not available yet ]]
I tried against a server that is apparently not vulnerable: NSE: smtp-dovecot-exim-exec:Setting malicious MAIL FROM field to:nmap`uname`@example.com NSE: smtp-dovecot-exim-exec:Cannot set recipient:SMTP: RCPT 550 relay not permitted David Fifield _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Exim w/ Dovecot Remote Command Execution vulnerability Paulino Calderon (May 05)
- Re: [NSE] Exim w/ Dovecot Remote Command Execution vulnerability David Fifield (May 06)