Friday, May 3, 2013

How common is common? Exim and Dovecot

Introduction:
Today a really neat advisory was released by the folks over at RedTeam Pentesting GmbH (RTP) involving a common misconfiguration when using Exim and Dovecot together. The high level is that when you use Exim as an MTA (what sends and receives mail from other servers) and Dovecot as an LDA (serves the mail to users via IMAP/POP3 etc) the example Exim configuration file Dovecot provides to make the MTA->LDA connection work has a bad configuration option whereby an attacker could get command injection on your mail server via sending mail! This is totally rad for a few reasons. First, this is going to be very reliable as it's command injection so there's no memory corruption voodoo to go wrong. Secondly, the vulnerability was introduced from one product into another by way of the admin! Plus the idea of doing command injection via email is pretty great.

In the advisory RTP released they mention that using Exim with Dovecot is a very common configuration, so I decided to see how how common it really was. To do this you'd need SMTP/IMAP/POP3 banners for large IP space, which we have courtesy of SWARM. So I wrote a few MongoDB queries and did some basic work with sets in Python and came up with some interesting answers. Without expounding too much about these data sets, they're non-overlapping IP space. We'll leave it at that as it will give affected admins more time to fix their configs. I've put the results from a few of our largest data sets into a table.

DB Size (IPs)* Exim banners Dovecot banners** Exim + Dovecot (Exim + Dovecot) / Total Exim
2,086,479 50,533 69,433 36,557 72.3%
1,668,143 629 11869 324 51.1%
753,486 22019 24494 20157 91.5%

* IPs that returned results from a SWARM module, a subset of all hosts scanned for that job
** We counted unique hosts that had at least one Dovecot banner on either IMAP or POP3

Limitations:

  1. We did not look at IMAPS or SSL-POP
  2. If Exim and Dovecot are not run on the same server it wouldn't be included in our results
  3. If IMAP/POP3 are run on non-standard ports it wouldn't be included in our results
  4. We did not confirm the presence of the vulnerability beyond banner parsing
  5. According to RTP the errant config was introduced in 2009, we could also filter by the presence of dovecot versions released only after 2009. Though this wouldn't take into account configurations that had remained static through upgrades

Conclusion:
When running Exim and IMAP/POP3, Dovecot is an extremely popular choice for an LDA. I think it's fair to say that a majority of administrators would reference the Dovecot wiki or documentation when configuring this setup. As a result this vulnerability is probably present on over a hundred thousand servers. Interestingly there is a lot of regional variance for both Exim and Dovecot, though in all Dovecot appears to be more popular in our data.
Pulling this data out with SWARM was pretty easy and it gave me a rough idea of the impact of the vulnerability. Some folks only rely on the CVSS score but fail to see the larger picture. If you have reliable unauthenticated remote code execution on Bob's Fancy FTP Server that would probably score a 10 on the CVSS scale. But if there are 15 total installs of that software anywhere on the planet, the impact is going to be minimal.

Also, after the fact I learned that Mongo has a built in MapReduce which I need to learn how to use :-/

1 comment:

mosesrenegade said...

MapReduce is beautiful. WIth map you batch to find all of the places in which your data is potentially stores across all the file stores (mapping across a large number of nodes), once found a reduction phase would then sort, join, etc, the data.

Careful with MapReduce on certain systems like Mongo and Riak, you may want to consider using Hadoop as the underlying File System to execute and batch MapReduce in a quicker manner than some other key value datastores like mongo.

Unless you had a large number of systems you wouldn't need MapReduce. Alternatively you are sharding and using a cluster and are performing a map reduce without necessarily realizing it.

Happy to help.