Open-Xchange: Directory traversal allows execution of arbitrary binaries usign doveadm exec

ID H1:883104
Type hackerone
Reporter eirini
Modified 2020-06-23T20:16:22


Both the doveadm-exec man page and the online manual specify that it can be used to execute commands from Dovecot's libexec_dir (which sounds like an implicit security boundary). I recently ran across a situation where doveadm-exec was whitelisted in sudoers to be run as root. I realized it was possible to do a directory traversal and run an arbitrary binary as root.

``` $ sudo doveadm exec ../../../bin/bash

``` I discovered this on Ubuntu 20.04 LTS with Dovecot (3c910f64b).


In case doveadm is run under sudo, it would allow an adversary to execute arbitrary binaries as root.