[exim] Detecting successful CVE-2019-10149 hack

Top Page

Reply to this message
Author: Phillip Carroll
Date:  
To: exim-users
Subject: [exim] Detecting successful CVE-2019-10149 hack
Because I was quite tardy in updating from 4.91 to 4.92, I am faced with
the the question as to best procedure for determining if anyone
successfully hacked into my Centos 7 server.

(I updated in late June, still oblivious to the existence of the CVE. A
week later I learn about the CVE. C'est la vie.)

Googling hasn't yielded much in terms of what a sysop should look for.

I have exim logs going back many months. I searched those (case
insensitive) for the string "x2fbin", and also "${run". Both searches
found the exact same two instances of RCPT to a local part containing a
CVE-2019-10149 payoff string. (quite different from each other, but all
having essentially the same form) One was dated the week before I
updated to 4.92. The other was dated a week after updating.

In both instances, the found string was part of an error message:
"SMTP Protocol error in RCPT TO:<root+$run...(payoff string)" ... sender
not yet given

In the fist instance the RCPT error was immediately followed by the
error message:
SMTP protocol error in "DATA" ... valid RCPT command must precede DATA

In each instance the RCPT error was immediately followed by an error
message:
SMTP protocol error in "DATA" ... valid RCPT command must precede DATA

followed immediately by another error message:
SMTP protocol synchronization error (next input sent too soon:
pipelining was not advertised): rejected "Received: 1" ... next
input="Received: 2\r\nReceived: 3\r\nReceived: 4\r\nReceived:
5\r\nReceived: 6\r\nReceived: 7\r\nReceived: 8\r\nReceived:
9\r\nReceived: 10\r\nReceived: 11\r\nReceived: 12\r\nRece"

My first question is, do these indicate failed attempts, or could they
have succeeded? On the face, it appears they failed.

However, my second question would be whether, in a successful attempt,
the payoff string would even appear in the log or just get swallowed up
by exim executing the string? In which case, what do I look for to
eliminate that possibility?

GLTA