Am 05.06.19 um 17:17 schrieb Heiko Schlittermann via Exim-users:
> The fix for CVE-2019-10149 is public now.
>
As the Advisiory is a bit unspecific for a protection, shouldn't a check
for "$" in
deny message = Restricted characters in address
domains = +local_domains
local_parts = ^[.] : ^.*[\$@%!/|]
and the none local domains block, prevent such an attack on any version?
Like in this working example i executed 10 minutes ago:
[root@c1 ~]# nc 127.0.0.1 25
220 mytestserver.de ESMTP Exim 4.90_1 Thu, 06 Jun 2019 12:50:11 +0200
HELO d1.ret.de
250 mytestserver.de Hello localhost [127.0.0.1]
MAIL FROM: <cyborg2@???>
250 OK
RCPT TO: <${run{id}}@???>
550 Restricted characters in address
Tested on a live server.
The advisory also says :
/Because expand_string() recognizes the "${run{<command> <args>}}"
expansion item, and because new->address is the recipient of the mail
that is being delivered, //*a local attacker can simply send a mail to "${run{...}}@...alhost"
(where "localhost" is one of Exim's local_domains)*//and execute arbitrary commands, as root (deliver_drop_privilege is
false, by default):///
I did this, and nothing happend in an unprotected server config.
strace did not show an execution of the given command at all.
Is it possible/pausible that fedora build it with "DISABLE_EVENT" defined,
so the vulnerable code is not in there?
any way to check that ( did not find the show compile settings on the web ) ?
