Re: [exim] CVE-2019-10149: 4.87 to 4.91 are vulnerable

Top Page

Reply to this message
Author: Cyborg
To: exim-users
Subject: Re: [exim] CVE-2019-10149: 4.87 to 4.91 are vulnerable
Am 05.06.19 um 17:17 schrieb Heiko Schlittermann via Exim-users:
> The fix for CVE-2019-10149 is public now.

As the Advisiory is a bit unspecific for a protection, shouldn't a check
for  "$" in

  deny    message       = Restricted characters in address
              domains       = +local_domains
              local_parts   = ^[.] : ^.*[\$@%!/|]

and the none local domains block, prevent such an attack on any version?

Like in this working example i executed 10 minutes ago:

[root@c1 ~]# nc 25
220 ESMTP Exim 4.90_1 Thu, 06 Jun 2019 12:50:11 +0200
250 Hello localhost []
MAIL FROM: <cyborg2@???>
250 OK
RCPT TO: <${run{id}}@???>
550 Restricted characters in address

Tested on a live server. 

The advisory also says :

/Because expand_string() recognizes the "${run{<command> <args>}}"
expansion item, and because new->address is the recipient of the mail
that is being delivered, //*a local attacker can simply send a mail to "${run{...}}@...alhost"
(where "localhost" is one of Exim's local_domains)*//and execute arbitrary commands, as root (deliver_drop_privilege is
false, by default):///
I did this, and nothing happend in an unprotected server config.
strace did not show an execution of the given command at all.

Is it possible/pausible that fedora build it with "DISABLE_EVENT" defined,
so the vulnerable code is not in there?

any way to check that ( did not find the show compile settings on the web ) ?