Re: [exim-dev] [Bug 2118] sendmail -be and ${run} macro secu…

Top Page
Delete this message
Reply to this message
Author: Andrew C Aitchison
Date:  
To: admin
CC: exim-dev
Subject: Re: [exim-dev] [Bug 2118] sendmail -be and ${run} macro security problem
On Fri, 5 May 2017, admin@??? wrote:

> https://bugs.exim.org/show_bug.cgi?id=2118
>
> --- Comment #5 from Heiko Schlittermann <hs@???> ---
> (In reply to Sandor Takacs from comment #0)
>> I found this WordPress + Exim remote code execution exploit on exploit-db
>> site. It uses "exim -be '${run...}'" to place payload on the remote system.
>>
>> https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-
>> 10033.html
>
> It's remote character is a Wordpress problem. A remote attacker can run
> commands on the Wordpress site. Exim is one of the commands, but not the only
> one. Probably an attacker can even run "cat", "touch" and so on. Where is the
> vulnerability? Are "cat", "touch", and so on, no vulnerable? Or is Wordpress
> vulnerable?


I'm guessing that the exim/sendmail command name is set in the
wordpress config and not under the hacker's control.

This "exploit" hides the "/" (and any other character that can be
reliably got from exim -be) from whatever sanity checking wordpress
is doing on the command-line args.
That is a genuine (though small) increase in exposure
but it is not a problem of exim,
but of wordpress + exim being more than the sum of the two parts.

Perhaps, exim could have a config option to disable -be and ${run}
for use in situations when its command line options are untrustworthy,
but that is being nice and covering someone-else's back.

--
Andrew C Aitchison