Re: [exim] The problem with Free Software

On Mon, 3 Jun 2013, Allen Bell wrote:
> But sometimes, the developer ego gets involved and once they make a
> decision about the "right way" to do something it becomes cast in concrete.

I don't see how problems like this are in any way specific to free
software. I suppose it might seem that way because, in proprietary
software, such annoyances are forgotten among the annoying things they do
to upsell you on other editions of the product, or to cuddle with the
audio/video copyright lobby.

> My case in point today is having installed the latest version of Exim and
> finding that the directive placing "root" on the never list - cannot be
> overridden.
But this has nothing to do with developer ego. It's done that way to plug
a real privilege escalation exploit.

It's my fault, btw. The actual change was Philip's idea, but I pointed
out this exploit to him back in 2003.

The problem is the "-C" option, which specifies a different configuration
file than that compiled in.

As normally configured, Exim's use of the "exim user/group" persona is
purely a security firebreak. It means that in many places a
remote-execution vulnerabilty might be hiding, it will only give the
attacker an "exim user" shell, not a root shell.

But this is meaningless if there is a reliable way to escalate from the
"exim user" to root. And before FIXED_NEVER_USERS, there was. All the
attacker has to do is construct a configuration file that sets
never_users blank and calls for a piped delivery using an executable he
provides, to be run as root.

As long as you start as the compiled-in exim user, Exim will honor a "-C"
from the command-line and use its root privileges to execute that
configuration.

TL;DR - if an attacker gets an "exim user" shell, he can escalate to any
user-id not in FIXED_NEVER_USERS. So it's a good idea to always have
root in that list.

---- Michael Deutschmann <michael@???>