Exim is a message transfer agent (MTA) which runs on Unix-like systems. Exim is a widely used mail server. According to search results on Shodan, there are 5 milllion servers running Exim.
A critical remote code execution vulnerability was discovered in Exim Server by Zerons. All the Exim servers accepting TLS connections are deemed to be vulnerable. Both GnuTLS and OpenSSL based versions are affected. This vulnerability allows an unauthenticated remote attacker to execute programs with root privileges on all Exim servers that accept TLS connections. The vulnerability is assigned with CVE-2019-15846
The advisory explains that the vulnerability can be exploited by sending an SNI which ends with a backslash-null sequence during the initial TLS handshake. SNI stands for Server Name Indication which facilitates the usage of different certificates for different servers running on the same IP address and TCP port number. The flaw is mainly due to a ‘Buffer Overflow’ in the SMTP Delivery process. A server with the default runtime configuration can be exploited by sending crafted Server Name Indication (SNI) data during a TLS negotiation. A crafted client TLS certificate can be used to exploit the vulnerability in all other configurations. The ‘spool_read_header()‘ runs as root and therefore the flaw is remotely exploitable with root privileges.
Qualys mentions in its analysis that ‘string_unprinting()’ and ‘string_interpret_escape()’ functions are problematic. But, there is another flaw in ‘string_printing()‘ function which actually triggers the flaw in string_unprinting()’ and ‘string_interpret_escape()’. The code in ‘string_printing()’ fails to escape the escaping character(backslash) and hence accepts an sni ending with a backslash-null sequence. The destination buffer is allocated right after the source buffer as the SNI is read from the spool via string_unprinting(string_copy()) where both string_unprinting() and string_copy() use store_get(). When the end of source buffer is reached, the characters overflow into the destination buffer leading to heap overflow, which is under the direct control of the attacker.
In order to carry out remote code execution, the out-of-bounds read can be transformed into an out-of-bounds write which can, in turn, be used to overwrite headers of free malloc chunks. Increasing the size of this malloc leads to overlapping of the new malloc with the already-allocated malloc chunks. This can be used to overwrite large parts of the heap with arbitrary data. The ‘spool_read_header()‘ is used to copy data into the malloc. But ‘spool_read_header() runs as root and therefore the flaw is remotely exploitable with root privileges.
A PoC exists for this vulnerability but has not been published by Qualys. Qualys has also discovered and reported three other bugs including the unescaped backslash in ‘string_printing()‘ function. Exim has released fixed versions for this vulnerability.
This vulnerability is easily exploitable and an attacker can gain access to the root remotely. That definitely demands system administrators to update the systems running Exim servers to the latest versions without delay.
EXIM version 4.92.1 and before.
A remote unauthenticated attacker can execute programs with root privileges.