Found in my mail server logs:

MAIL FROM:<;for P in f W K 0 r S 5 T A u p 4 X E Q;do read;done;sh;exit 0;>

I guess thatā€™s a command line injection attempt, aiming at mail servers passing sender address to a spam filter application without escaping. It installs crypto miners.

After ruling out Postfix as the potential target here, I found that Exim configuration has a use_shell setting for the pipe transport. That seems to be the vulnerable configuration here, and there is an older advisory on it (2013).


So my suspicion about misconfigured spam filtering being the target was obviously wrong. It was far more mundane: the proposed configuration for integrating Dovecot with Exim used to be vulnerable. IMHO it being possible to misconfigure in this way is already ridiculousā€¦

Ā· Ā· Web Ā· 0 Ā· 0 Ā· 1
Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.