SMTP: Exim with Dovecot LDA sender_address Parameter Remote Command Execution
This signature detects attempts to exploit a known vulnerability in the Exim with Dovecot LDA sender_address. The vulnerability is due to the dangerous configuration in Dovecot suggesting the "use_shell" option. The content of the variable $sender_address can, in most standard setups, be controlled by an attacker, its value is inserted verbatim into the string which is supplied to the shell. This enables attackers to execute arbitrary shell commands within the context of Exim system user. A remote attacker could exploit this vulnerability by sending a malicious 'sender_address' parameter, which is supplied via a 'MAIL FROM' header. Successful exploitation would lead to remote shell commands execution within the context of the Exim user.
Short Name
SMTP:EXPLOIT:EXIM-DOVECOT-RCE
Severity
Major
Recommended
False
Recommended Action
None
Category
SMTP
Keywords
Command Dovecot Execution Exim LDA Parameter Remote sender_address with
Release Date
02/18/2014
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3375
False Positive
Unknown