Open-Xchange: Directory traversal allows execution of arbitrary binaries usign doveadm exec

2020-05-26T19:57:21
ID H1:883104
Type hackerone
Reporter eirini
Modified 2020-06-23T20:16:22

Description

Both the doveadm-exec man page and the online manual specify that it can be used to execute commands from Dovecot's libexec_dir (which sounds like an implicit security boundary). I recently ran across a situation where doveadm-exec was whitelisted in sudoers to be run as root. I realized it was possible to do a directory traversal and run an arbitrary binary as root.

``` $ sudo doveadm exec ../../../bin/bash

``` I discovered this on Ubuntu 20.04 LTS with Dovecot 2.3.7.2 (3c910f64b).

Impact

In case doveadm is run under sudo, it would allow an adversary to execute arbitrary binaries as root.