The 2021 Pwnie Nominee For Best Server-Side Bug

RCE in Qmail (CVE-2005-1513)

Researcher Names: The Qualys Vulnerability and Malware Research Labs (VMRL)


This bug in qmail was discovered 15 years ago by a young researcher. The developer and the community surrounding qmail made fun of him, claiming it wasn’t exploitable. No patch was released, in part, because of the fan base around qmail, claiming it was the most secure software in existence. The researchers at Qualys proved them all wrong and brought justice to the young researcher by exploiting the bug and achieving remote code execution. And did we mention that qmail already got nominated for lamest vendor response in 2020?