On Mon, 2016-04-18 at 14:23 -0700, Ian Zimmerman wrote:
> It has been possible for a long time (always?) to build Exim such in way
> as to include its own Perl engine [1], which is then available to
> magically transform your configuration. The vulnerability, AFAIK, comes
> from the fact that the environment settings are available to the Perl
> engine, which could do essentially anything (with the identity of the
> Exim process, which means at least initially root).
>
> If your Exim build doesn't include the Perl engine, you are not
> vulnerable; but the fix is included anyway :-P
It does include Perl .....
Exim version 4.84_2 #1 built 24-Mar-2016 16:26:05 ....
Support for: crypteq iconv() IPv6 PAM Perl ....
> On a Unix like system many programs will send machine-generated email.
> They do that, behind the covers, by executing /usr/sbin/sendmail (or
> maybe /usr/lib/sendmail or something similar). That name is always, in
> a "factory" configuration, a symbolic link to the mail transport agent
> [MTA] in use, in your case Exim.
>
> In fact, many interactive mail clients (like mailx or mutt) work the
> same way by default when sending email, although some can be configured
> to connect to the SMTP socket of the MTA daemon.
>
> What other up-thread meant was that you are safe if instead you make your
> own wrapper /usr/sbin/sendmail program which discards or cleans up the
> environment itself, and then calls Exim. You'd _also_ need to remove
> any setuid or setgid [2] permission bits that the Exim binary has on
> your system.
At the moment Exim = -rwsr-xr-x root root
Removing group and user 'rx' prevents Exim forwarding incoming emails.
Removing the 's' from the owner's permission makes outgoing mail wait in
the queue (one example 4m30s) until I type 'exim -qff'. My preference is
instant automatic email forwarding.
> [1] hoping that you know what Perl is
Of course. My big Perl Black Book from circa 1998 remains mainly unread
due to time shortages.
Taught myself a little Perl when customising the Logwatch module to
provide better, for me, Exim summaries.
> [2] ditto for setuid/setgid
Now I do.
Thank you very much for your helpful summary. Currently I do not
understand how someone can use Exim to execute malicious Perl scripts
unless Exim has a facility to execute Perl scripts, for example
exim badwork.pl
or could the malicious script contain, on the first line,
#!/usr/sbin/exim
instead of /usr/bin/perl ?
Its fascinating.
Thank you.
--
Regards,
Paul.
England, EU. England's place is in the European Union.
