Re: [exim] CVE-2019-15846: Exim - local or remote attacker can execute programs with root privileges.

Author: Dmitriy Matrosov
Date:
To: exim-users
Subject: Re: [exim] CVE-2019-15846: Exim - local or remote attacker can execute programs with root privileges.

On 9/7/19 9:51 AM, Heiko Schlittermann via Exim-users wrote:
> Marco Gaiarin via Exim-users <exim-users@???> (Fr 06 Sep 2019 23:42:03 CEST): >> Mandi! Heiko Schlittermann via Exim-users >> In chel di` si favelave...

>>
>>> Add - as part of the mail ACL (the ACL referenced by the main config >>> option "acl_smtp_mail"): >>> deny condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_sni}}}} >>> deny condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_peerdn}}}}

>>
>> For very old exim, eg 4.80, there's no _in_ and _out_ variables, so:
>>
>> deny condition = ${if eq{\\}{${substr{-1}{1}{$tls_sni}}}} >> deny condition = ${if eq{\\}{${substr{-1}{1}{$tls_peerdn}}}}

>>
>
> And, if your Exim is linked against GnuTLS there is no $tls_sni variable
> at all. But - to my knowledge - the exploitable string is written to the
> -H spool file anyway (and read back).

On Debian 7, 8, 9 (exim is linked against gnutls) and there is $tls_sni
option. On Debian 8, 9 also there is $tls_in_sni option (as expected).

(Debian 6, 4.72, no $tls_sni, no $tls_in_sni)

# exim4 -bV
Exim version 4.72 #1 built 13-Jul-2014 21:26:25
Copyright (c) University of Cambridge, 1995 - 2007
Berkeley DB: Berkeley DB 4.8.30: (April 9, 2010)
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS
move_frozen_messages Content_Scanning DKIM Old_Demime
Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz dnsdb
dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite
Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram
redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
GnuTLS compile-time version: 2.8.6
GnuTLS runtime version: 2.8.6
Configuration file is /var/lib/exim4/config.autogenerated

# exim4 -be '$tls_sni'
Failed: unknown variable name "tls_sni"

(Debian 7, 4.80, no $tls_in_sni)

# exim4 -bV
Exim version 4.80 #2 built 10-Feb-2018 15:37:26
Copyright (c) University of Cambridge, 1995 - 2012
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007
- 2012
Berkeley DB: Berkeley DB 5.1.29: (October 25, 2011)
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS
move_frozen_messages Content_Scanning DKIM Old_Demime
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm
dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql
sqlite
Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram
redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
Configuration file is /var/lib/exim4/config.autogenerated

# exim4 -be '$tls_sni'

#
# exim4 -be '$tls_in_sni'
Failed: unknown variable name "tls_in_sni"
#

(Debian 8)

# exim4 -bV
Exim version 4.84_2 #1 built 05-Sep-2019 20:48:19
Copyright (c) University of Cambridge, 1995 - 2014
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007
- 2014
Berkeley DB: Berkeley DB 5.3.28: (September 9, 2013)
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS
move_frozen_messages Content_Scanning DKIM Old_Demime PRDR OCSP
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm
dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql
sqlite
Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram
redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
Configuration file is /var/lib/exim4/config.autogenerated

# exim4 -be '$tls_sni'

#
# exim4 -be '$tls_in_sni'

#

(Debian 9)

# exim4 -bV
Exim version 4.89 #1 built 03-Sep-2019 18:01:38
Copyright (c) University of Cambridge, 1995 - 2017
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007
- 2017
Berkeley DB: Berkeley DB 5.3.28: (September 9, 2013)
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS
move_frozen_messages Content_Scanning DKIM DNSSEC Event OCSP PRDR PROXY
SOCKS TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm
dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql
sqlite
Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa tls
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram
redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Configuration file is /var/lib/exim4/config.autogenerated
# exim4 -be '$tls_sni'

#
# exim4 -be '$tls_in_sni'

#

This message is part of the following thread:
	the complete thread tree sorted by date
	Heiko Schlittermann at
	Cyborg at

Re: [exim] CVE-2019-15846: Exim - local or remote attacker c…