Signature Detail

SMTP: Exim with Dovecot LDA sender_address Parameter Remote Command Execution

This signature detects attempts to exploit a known vulnerability in the Exim with Dovecot LDA sender_address. The vulnerability is due to the dangerous configuration in Dovecot suggesting the "use_shell" option. The content of the variable $sender_address can, in most standard setups, be controlled by an attacker, its value is inserted verbatim into the string which is supplied to the shell. This enables attackers to execute arbitrary shell commands within the context of Exim system user. A remote attacker could exploit this vulnerability by sending a malicious 'sender_address' parameter, which is supplied via a 'MAIL FROM' header. Successful exploitation would lead to remote shell commands execution within the context of the Exim user.