[Pkg-exim4-users] CVE-2010-4344 and Exim 4.69-9+lenny1

Olivier Bonvalet debian-exim.list at daevel.fr
Tue Dec 14 09:49:13 UTC 2010 

Hi,

one of my debians was just "hacked", thought this Exim vulnerabilities, 
but Exim4 was already upgraded to the "4.69-9+lenny1_amd64" version.

We upgraded it on 12/11/2010 :

Aptitude 0.4.11.11: journal
sam, dec 11 2010 21:03:49 +0100

IMPORTANT : ce journal ne contient que les actions demandées ; certaines 
actions qui
échouent à cause d'erreurs de dpkg peuvent donc ne pas être réalisées.

12 paquets vont être installés, et 2 retirés.
164ko d'espace disque vont être libérés
===============================================================================
[SUPPRIMÉ, NON UTILISÉ] libdns55
[INSTALLÉ, DÉPENDANCES] libdns58
[INSTALLÉ, DÉPENDANCES] libisc50
[RETIRÉ, DÉPENDANCES] libisc52
[MIS A JOUR] bind9-host 1:9.6.ESV.R1+dfsg-0+lenny2 -> 
1:9.6.ESV.R3+dfsg-0+lenny1
[MIS A JOUR] dnsutils 1:9.6.ESV.R1+dfsg-0+lenny2 -> 
1:9.6.ESV.R3+dfsg-0+lenny1
[MIS A JOUR] exim4 4.69-9 -> 4.69-9+lenny1
[MIS A JOUR] exim4-base 4.69-9 -> 4.69-9+lenny1
[MIS A JOUR] exim4-config 4.69-9 -> 4.69-9+lenny1
[MIS A JOUR] exim4-daemon-heavy 4.69-9 -> 4.69-9+lenny1
[MIS A JOUR] libbind9-50 1:9.6.ESV.R1+dfsg-0+lenny2 -> 
1:9.6.ESV.R3+dfsg-0+lenny1
[MIS A JOUR] libisccc50 1:9.6.ESV.R1+dfsg-0+lenny2 -> 
1:9.6.ESV.R3+dfsg-0+lenny1
[MIS A JOUR] libisccfg50 1:9.6.ESV.R1+dfsg-0+lenny2 -> 
1:9.6.ESV.R3+dfsg-0+lenny1
[MIS A JOUR] liblwres50 1:9.6.ESV.R1+dfsg-0+lenny2 -> 
1:9.6.ESV.R3+dfsg-0+lenny1
===============================================================================



And the attacker exploit the vulnerability on 12/14/2010 :

# stat /mnt/var/spool/exim4/s
   File: `/mnt/var/spool/exim4/s'
   Size: 9223          Blocks: 24         IO Block: 4096   fichier régulier
Device: fd02h/64770d    Inode: 65906       Links: 1
Access: (4755/-rwsr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2010-12-14 09:31:13.000000000 +0100
Modify: 2010-12-14 02:07:20.000000000 +0100
Change: 2010-12-14 02:07:20.000000000 +0100



2010-12-14 02:07:31 1PSJMZ-0007cg-Je <= root at pasbet.mrbinr.com U=root 
P=local S=4324
2010-12-14 02:07:31 1PSJMZ-0007cg-Je no immediate delivery: load average 
1.01
2010-12-14 02:08:09 Start queue run: pid=32248
2010-12-14 02:08:10 1PSJNC-0008Ow-0V <= root at pasbet.mrbinr.com 
H=localhost (pasbet.mrbinr.com) [127.0.0.1] P=esmtp S=5158 
id=E1PSJMZ-0007cg-Je at pasbet.mrbinr.com
2010-12-14 02:08:10 1PSJNC-0008Ow-0V no immediate delivery: load average 
1.45
2010-12-14 02:08:10 1PSJMZ-0007cg-Je => haubau123 at yahoo.com R=dkimproxy 
T=dkimproxy_smtp H=localhost [127.0.0.1]
2010-12-14 02:08:10 1PSJMZ-0007cg-Je Completed
2010-12-14 02:08:10 End queue run: pid=32248


Or maybe it's a different problem ?
Do you need more informations, logs, files ?

Thanks,
Olivier Bonvalet

More information about the Pkg-exim4-users mailing list