module
Qmail SMTP Bash Environment Variable Injection (Shellshock)
| Disclosed | Created |
|---|---|
| Sep 24, 2014 | May 30, 2018 |
Disclosed
Sep 24, 2014
Created
May 30, 2018
Description
This module exploits a shellshock vulnerability on Qmail, a public
domain MTA written in C that runs on Unix systems.
Due to the lack of validation on the MAIL FROM field, it is possible to
execute shell code on a system with a vulnerable BASH (Shellshock).
This flaw works on the latest Qmail versions (qmail-1.03 and
netqmail-1.06).
However, in order to execute code, /bin/sh has to be linked to bash
(usually default configuration) and a valid recipient must be set on the
RCPT TO field (usually [email protected]).
The exploit does not work on the "qmailrocks" community version
as it ensures the MAILFROM field is well-formed.
domain MTA written in C that runs on Unix systems.
Due to the lack of validation on the MAIL FROM field, it is possible to
execute shell code on a system with a vulnerable BASH (Shellshock).
This flaw works on the latest Qmail versions (qmail-1.03 and
netqmail-1.06).
However, in order to execute code, /bin/sh has to be linked to bash
(usually default configuration) and a valid recipient must be set on the
RCPT TO field (usually [email protected]).
The exploit does not work on the "qmailrocks" community version
as it ensures the MAILFROM field is well-formed.
Authors
Mario Ledo (Metasploit module)
Gabriel Follon (Metasploit module)
Kyle George (Vulnerability discovery)
Gabriel Follon (Metasploit module)
Kyle George (Vulnerability discovery)
Platform
Unix
Architectures
cmd
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.