Re: [exim] Exim 4.84_2 #1 : WARNING: purging the environment…

Pàgina inicial
Delete this message
Reply to this message
Autor: Dennis Davis
Data:  
A: exim-users
Assumpte: Re: [exim] Exim 4.84_2 #1 : WARNING: purging the environment.
On Tue, 19 Apr 2016, Always Learning wrote:

> From: Always Learning <exim@???>
> To: Exim <exim-users@???>
> Date: Tue, 19 Apr 2016 01:26:46
> Subject: Re: [exim] Exim 4.84_2 #1 : WARNING: purging the environment.


...

> Thank you very much for your helpful summary. Currently I do not
> understand how someone can use Exim to execute malicious Perl scripts
> unless Exim has a facility to execute Perl scripts, for example
>
>     exim badwork.pl

>
> or could the malicious script contain, on the first line,
>
> #!/usr/sbin/exim
>
> instead of /usr/bin/perl ?


See Chapter 12 of the fine manual:

http://www.exim.org/exim-html-current/doc/html/spec_html/ch-embedded_perl.html

and:

http://www.exim.org/static/doc/CVE-2016-1531.txt

I suspect the exploit goes something like this:

exim calls perl routine(s) which calls external programs. Malicious
user manipulates the search path etc so malicious user's external
program(s) are called instead of the system versions. This is all
done as a privileged user, so malicious user now has a shell running
as that privileged user. Your system will shortly become toast...
--
Dennis Davis <dennisdavis@???>