Re: [exim] Exim 4.84_2 #1 : WARNING: purging the environment…

Pàgina inicial
Delete this message
Reply to this message
Autor: Always Learning
Data:  
A: Exim
Assumpte: Re: [exim] Exim 4.84_2 #1 : WARNING: purging the environment.

On Mon, 2016-04-18 at 14:23 -0700, Ian Zimmerman wrote:

> It has been possible for a long time (always?) to build Exim such in way
> as to include its own Perl engine [1], which is then available to
> magically transform your configuration. The vulnerability, AFAIK, comes
> from the fact that the environment settings are available to the Perl
> engine, which could do essentially anything (with the identity of the
> Exim process, which means at least initially root).
>
> If your Exim build doesn't include the Perl engine, you are not
> vulnerable; but the fix is included anyway :-P


It does include Perl .....

Exim version 4.84_2 #1 built 24-Mar-2016 16:26:05 ....
Support for: crypteq iconv() IPv6 PAM Perl ....

> On a Unix like system many programs will send machine-generated email.
> They do that, behind the covers, by executing /usr/sbin/sendmail (or
> maybe /usr/lib/sendmail or something similar). That name is always, in
> a "factory" configuration, a symbolic link to the mail transport agent
> [MTA] in use, in your case Exim.
>
> In fact, many interactive mail clients (like mailx or mutt) work the
> same way by default when sending email, although some can be configured
> to connect to the SMTP socket of the MTA daemon.
>
> What other up-thread meant was that you are safe if instead you make your
> own wrapper /usr/sbin/sendmail program which discards or cleans up the
> environment itself, and then calls Exim. You'd _also_ need to remove
> any setuid or setgid [2] permission bits that the Exim binary has on
> your system.


At the moment Exim = -rwsr-xr-x root root

Removing group and user 'rx' prevents Exim forwarding incoming emails.

Removing the 's' from the owner's permission makes outgoing mail wait in
the queue (one example 4m30s) until I type 'exim -qff'. My preference is
instant automatic email forwarding.


> [1] hoping that you know what Perl is


Of course. My big Perl Black Book from circa 1998 remains mainly unread
due to time shortages.

Taught myself a little Perl when customising the Logwatch module to
provide better, for me, Exim summaries.

> [2] ditto for setuid/setgid


Now I do.

Thank you very much for your helpful summary. Currently I do not
understand how someone can use Exim to execute malicious Perl scripts
unless Exim has a facility to execute Perl scripts, for example

    exim badwork.pl


or could the malicious script contain, on the first line,

#!/usr/sbin/exim

instead of /usr/bin/perl ?

Its fascinating.

Thank you.


--
Regards,

Paul.
England, EU.      England's place is in the European Union.