On Tue, 19 Apr 2016, Always Learning wrote:
> From: Always Learning <exim@???>
> To: Exim <exim-users@???>
> Date: Tue, 19 Apr 2016 01:26:46
> Subject: Re: [exim] Exim 4.84_2 #1 : WARNING: purging the environment.
...
> Thank you very much for your helpful summary. Currently I do not
> understand how someone can use Exim to execute malicious Perl scripts
> unless Exim has a facility to execute Perl scripts, for example
>
> exim badwork.pl
>
> or could the malicious script contain, on the first line,
>
> #!/usr/sbin/exim
>
> instead of /usr/bin/perl ?
See Chapter 12 of the fine manual:
http://www.exim.org/exim-html-current/doc/html/spec_html/ch-embedded_perl.html
and:
http://www.exim.org/static/doc/CVE-2016-1531.txt
I suspect the exploit goes something like this:
exim calls perl routine(s) which calls external programs. Malicious
user manipulates the search path etc so malicious user's external
program(s) are called instead of the system versions. This is all
done as a privileged user, so malicious user now has a shell running
as that privileged user. Your system will shortly become toast...
--
Dennis Davis <dennisdavis@???>
