Resultados 1 a 5 de 5
  1. #1
    Super Moderador
    Data de Ingresso
    Sep 2010
    Localização
    Procurando...
    Posts
    4,106

    Falha de segurança Dovecot

    Security: Dovecot integration, exploit in wild

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: RIPEMD160

    Folks,

    Until fairly recently, the Dovecot documentation proposed an Exim
    configuration sample which resulted in insecure Exim configurations.
    We're told that there are now automated exploits available for at least
    one common exploit framework.

    If you have configured Exim to work with Dovecot, it's good to check
    that you're up-to-date with their recommended configuration. If you
    haven't, but grep'ing your Exim configure file shows the presence of
    "use_shell", then now is a good time to review.

    $ fgrep use_shell -- $(exim -bP configure_file)

    It's unfortunate that we're in a situation where even mail experts who
    work on another mail product can so inadvertently create a security
    problem.

    Exim's original author (Philip Hazel) deliberately made sure that Exim
    does not use the shell by default, so that arbitrary content in a
    sender's address can not be injected for shell parsing. This work on
    his part was explicitly to protect against this kind of attack.

    Alas, while the use_shell documentation warned of the issues, the
    Security Considerations section of the documentation did not reference
    this, so folks may not have caught the full implications during any
    security review of their configurations.

    We have since updated the documentation for the next release of Exim to
    include a "Running local commands" section in the "Security
    considerations" chapter, referencing this and other items of concern.
    I have included a rendering of this to plain text below, for your
    convenience.

    The use_shell option, while dangerous, does have legitimate uses and we
    can't remove the facility. It remains something that does have to be
    explicitly enabled in configuration and the default behaviour of Exim
    does protect against this kind of attack.

    PLEASE: review your configurations, in light of the points below, to
    better protect yourselves.

    Thank you for your attention,
    - -Phil Pennock, pp The Exim Maintainers.

    Advisory:
    https://www.redteam-pentesting.de/de...mand-execution

    New documentation; commit:
    git.exim.org Git - exim.git/commitdiff

    As plain text:
    - ----------------------------8< cut here >8------------------------------
    54.5 Running local commands
    - ---------------------------

    There are a number of ways in which an administrator can configure Exim to run
    commands based upon received, untrustworthy, data. Further, in some
    configurations a user who can control a .forward file can also arrange to run
    commands. Configuration to check includes, but is not limited to:

    * Use of use_shell in the pipe transport: various forms of shell command
    injection may be possible with this option present. It is dangerous and
    should be used only with considerable caution. Consider constraints which
    whitelist allowed characters in a variable which is to be used in a pipe
    transport that has use_shell enabled.

    * A number of options such as forbid_filter_run, forbid_filter_perl,
    forbid_filter_dlfunc and so forth which restrict facilities available to
    .forward files in a redirect router. If Exim is running on a central mail
    hub to which ordinary users do not have shell access, but home directories
    are NFS mounted (for instance) then administrators should review the list
    of these forbid options available, and should bear in mind that the options
    that may need forbidding can change as new features are added between
    releases.

    * The ${run...} expansion item does not use a shell by default, but
    administrators can configure use of /bin/sh as part of the command. Such
    invocations should be viewed with prejudicial suspicion.

    * Administrators who use embedded Perl are advised to explore how Perl's
    taint checking might apply to their usage.

    * Use of ${expand...} is somewhat analagous to shell's eval builtin and
    administrators are well advised to view its use with suspicion, in case
    (for instance) it allows a local-part to contain embedded Exim directives.

    * Use of ${match_local_part...} and friends becomes more dangerous if Exim
    was built with EXPAND_LISTMATCH_RHS defined: the second string in each can
    reference arbitrary lists and files, rather than just being a list of
    opaque strings. The EXPAND_LISTMATCH_RHS option was added and set false by
    default because of real-world security vulnerabilities caused by its use
    with untrustworthy data injected in, for SQL injection attacks. Consider
    the use of the inlisti expansion condition instead.

    - ----------------------------8< cut here >8------------------------------

    -----BEGIN PGP SIGNATURE-----

    iEYEAREDAAYFAlG2T+8ACgkQQDBDFTkDY38kqgCghOb32WUEUP 8212kAzANaWtFv
    RvIAn292Yfv7ch9b0YQL3ehbiw2y7pr4
    =p/uS
    -----END PGP SIGNATURE-----
    Siga-nos em nosso twitter: @wht_brasil

  2. #2
    {topmember}
    Data de Ingresso
    Nov 2010
    Localização
    Rio de Janeiro
    Posts
    596
    O que exatamente o comando

    fgrep use_shell -- $(exim -bP configure_file)
    Deveria fazer ?

  3. #3
    WHT-BR Top Member
    Data de Ingresso
    Nov 2010
    Posts
    1,611
    Citação Postado originalmente por DuranDuran Ver Post
    O que exatamente o comando



    Deveria fazer ?
    Fiquei curioso também
    oGigante.com*• Revenda de Hospedagem Cloud Linux + WHMCS Grátis
    VWhost.com.br • Revenda de Hospedagem Linux Cpanel + CloudFlare
    Zocka.com.br • Hospedagem de Sites Cpanel + Construtor de Sites

  4. #4
    Super Moderador
    Data de Ingresso
    Sep 2010
    Localização
    Procurando...
    Posts
    4,106
    Citação Postado originalmente por DuranDuran Ver Post
    O que exatamente o comando



    Deveria fazer ?
    boa pergunta
    Siga-nos em nosso twitter: @wht_brasil

  5. #5
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Localização
    /sc/rionegrinho
    Posts
    1,036
    exim -bP configure_file - Te retorna qual é o arquivo de configuração do exim:

    Código:
    root@server [~]# exim -bP configure_file
    /etc/exim.conf
    fgrep use_shell -- - Pesquisa pelo termo "use_shell" dentro do arquivo retornado pelo comando anterior

    Em resumo, se o resultado do comando for nada, deu boa
    Alexandre Silva Hostert

    Veezon
    Gerenciamento de Servidores


    http://veezon.com.br
    http://br.linkedin.com/in/alexandreveezon

Permissões de Postagem

  • Você não pode iniciar novos tópicos
  • Você não pode enviar respostas
  • Você não pode enviar anexos
  • Você não pode editar suas mensagens
  •