Exim, one of the most popular open source mail transfer agent (MTA) in Linux systems, is now being exploited by attackers all over the world. Currently, more than 3.5 million servers are at risk worldwide. The critical vulnerability which is already fixed by the vendor has still not been patched in most of the operating systems making them vulnerable to Remote command executions. The target of this attack, Exim servers, run almost 57% of the Internet’s email servers.

A widespread campaign is exploiting Exim flaw and makes millions of Linux servers subject to worm attack. It achieves persistence on the infected system by installing several payloads at different stages including the port scanner and coin-miner etc. Microsoft also warns Azure customers of being affected by this vulnerability.

Although the patch is provided by the vendor to fix this issue, many devices are still left unpatched and need to be patched immediately to be safe from any possible attacks.


Technical Jargon:

A critical vulnerability (CVE-2019-10149) was found in the Exim mail server versions 4.87 to 4.91(included). The application fails to properly handle the recipient addresses due to the code in deliver_message() which allows an attacker to execute arbitrary commands.

The vulnerability can be easily exploited by a local attacker and can be exploited by a remote attacker under certain non-default configurations. However, a remote attacker can exploit this flaw under default configurations too. Researchers say that in order to remotely exploit this vulnerability in the default configuration, an attacker must keep a connection to the vulnerable server open for 7 days (e.g., by transmitting one byte every few minutes).

To demonstrate this vulnerability, we tried the local exploit and found that a local attacker could run arbitrary commands which are otherwise possible only for a root user. Below is the Proof of Concept that was tried:

1. The arbitrary code that was run is as follows:

<${run{\x2Fbin\x2Fsh\t-c\t\x22id\x3E\x3E\x2Ftmp\x2Fid\x22}}@localhost>

The code is in hex format which when converted to ASCII gives the following command :

/bin/sh -c “id>>/tmp/id”

2. The number of received_headers_max by default is only 30. Hence the attacker has to send more than 30 received headers to the mail server which sets process_recipients to RECIP_FAIL_LOOP. And hence executes the vulnerable code.

3. Since “localhost” is already present in the Exim’s “local_domains” list, the attacker will be able to execute commands in the “RCPT TO:run{…}}@…alhost” format.

Similar steps can be followed for the remote exploit with non-default configurations which requires the name of the local user to be added in the recipient address part.

In order to exploit the vulnerability remotely with default configurations, it takes at least 7 days since it requires each byte to be transferred after a fixed time.


Affected Platforms:

Exim versions from 4.87 to 4.91 are affected.

Currently, Ubuntu, Debian, Alpine and Amazon vendors have released advisories which mention about this vulnerability. RHEL claims that they are not affected by this vulnerability.


Solution:

Please refer to this KB article.

Summary
The Return of the WIZard in exim4
Article Name
The Return of the WIZard in exim4
Author
Publisher Name
SecPod Technologies
Publisher Logo

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>