Menu

Search for hundreds of thousands of exploits

"Exim 4.87 < 4.91 - (Local / Remote) Command Execution"

Author

"Qualys Corporation"

Platform

linux

Release date

2019-06-05

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
Qualys Security Advisory

The Return of the WIZard: RCE in Exim (CVE-2019-10149)


========================================================================
Contents
========================================================================

Summary
Local exploitation
Remote exploitation
- Non-default configurations
- Default configuration
Acknowledgments
Timeline

    Boromir: "What is this new devilry?"
    Gandalf: "A Balrog. A demon of the Ancient World."
        -- The Lord of the Rings: The Fellowship of the Ring


========================================================================
Summary
========================================================================

During a code review of the latest changes in the Exim mail server
(https://en.wikipedia.org/wiki/Exim), we discovered an RCE vulnerability
in versions 4.87 to 4.91 (inclusive). In this particular case, RCE means
Remote *Command* Execution, not Remote Code Execution: an attacker can
execute arbitrary commands with execv(), as root; no memory corruption
or ROP (Return-Oriented Programming) is involved.

This vulnerability is exploitable instantly by a local attacker (and by
a remote attacker in certain non-default configurations). To remotely
exploit this vulnerability in the default configuration, an attacker
must keep a connection to the vulnerable server open for 7 days (by
transmitting one byte every few minutes). However, because of the
extreme complexity of Exim's code, we cannot guarantee that this
exploitation method is unique; faster methods may exist.

Exim is vulnerable by default since version 4.87 (released on April 6,
2016), when #ifdef EXPERIMENTAL_EVENT became #ifndef DISABLE_EVENT; and
older versions may also be vulnerable if EXPERIMENTAL_EVENT was enabled
manually. Surprisingly, this vulnerability was fixed in version 4.92
(released on February 10, 2019):

https://github.com/Exim/exim/commit/7ea1237c783e380d7bdb8...
https://bugs.exim.org/show_bug.cgi?id=2310

but was not identified as a security vulnerability, and most operating
systems are therefore affected. For example, we exploit an up-to-date
Debian distribution (9.9) in this advisory.


========================================================================
Local exploitation
========================================================================

The vulnerable code is located in deliver_message():

6122 #ifndef DISABLE_EVENT
6123       if (process_recipients != RECIP_ACCEPT)
6124         {
6125         uschar * save_local =  deliver_localpart;
6126         const uschar * save_domain = deliver_domain;
6127
6128         deliver_localpart = expand_string(
6129                       string_sprintf("${local_part:%s}", new->address));
6130         deliver_domain =    expand_string(
6131                       string_sprintf("${domain:%s}", new->address));
6132
6133         (void) event_raise(event_action,
6134                       US"msg:fail:internal", new->message);
6135
6136         deliver_localpart = save_local;
6137         deliver_domain =    save_domain;
6138         }
6139 #endif

Because expand_string() recognizes the "${run{<command> <args>}}"
expansion item, and because new->address is the recipient of the mail
that is being delivered, a local attacker can simply send a mail to
"${run{...}}@localhost" (where "localhost" is one of Exim's
local_domains) and execute arbitrary commands, as root
(deliver_drop_privilege is false, by default):

[...]


========================================================================
Remote exploitation
========================================================================

Our local-exploitation method does not work remotely, because the
"verify = recipient" ACL (Access-Control List) in Exim's default
configuration requires the local part of the recipient's address (the
part that precedes the @ sign) to be the name of a local user:

[...]

------------------------------------------------------------------------
Non-default configurations
------------------------------------------------------------------------

We eventually devised an elaborate method for exploiting Exim remotely
in its default configuration, but we first identified various
non-default configurations that are easy to exploit remotely:

- If the "verify = recipient" ACL was removed manually by an
  administrator (maybe to prevent username enumeration via RCPT TO),
  then our local-exploitation method also works remotely.

- If Exim was configured to recognize tags in the local part of the
  recipient's address (via "local_part_suffix = +* : -*" for example),
  then a remote attacker can simply reuse our local-exploitation method
  with an RCPT TO "balrog+${run{...}}@localhost" (where "balrog" is the
  name of a local user).

- If Exim was configured to relay mail to a remote domain, as a
  secondary MX (Mail eXchange), then a remote attacker can simply reuse
  our local-exploitation method with an RCPT TO "${run{...}}@khazad.dum"
  (where "khazad.dum" is one of Exim's relay_to_domains). Indeed, the
  "verify = recipient" ACL can only check the domain part of a remote
  address (the part that follows the @ sign), not the local part.

------------------------------------------------------------------------
Default configuration
------------------------------------------------------------------------

[...]


========================================================================
Acknowledgments
========================================================================

We thank Exim's developers, Solar Designer, and the members of
distros@openwall.

"The Return of the WIZard" is a reference to Sendmail's ancient WIZ and
DEBUG vulnerabilities:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0145
https://seclists.org/bugtraq/1995/Feb/56

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0095
http://www.cheswick.com/ches/papers/berferd.pdf


========================================================================
Timeline
========================================================================

2019-05-27: Advisory sent to security@exim.

2019-05-28: Advisory sent to distros@openwall.
Release Date Title Type Platform Author
2019-08-19 "Webmin 1.920 - Remote Code Execution" webapps linux "Fernando A. Lagos B"
2019-08-14 "ABC2MTEX 1.6.1 - Command Line Stack Overflow" dos linux "Carter Yagemann"
2019-08-12 "Webmin 1.920 - Unauthenticated Remote Code Execution (Metasploit)" remote linux AkkuS
2019-08-12 "Ghidra (Linux) 9.0.4 - .gar Arbitrary Code Execution" local linux "Etienne Lacoche"
2019-08-12 "Linux - Use-After-Free Reads in show_numa_stats()" dos linux "Google Security Research"
2019-07-30 "Redis 4.x / 5.x - Unauthenticated Code Execution (Metasploit)" remote linux Metasploit
2018-12-29 "Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation" local linux bcoles
2018-12-29 "Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) - Local Privilege Escalation (KASLR / SMEP)" local linux bcoles
2018-12-29 "Linux Kernel 4.8.0-34 < 4.8.0-45 (Ubuntu / Linux Mint) - Packet Socket Local Privilege Escalation" local linux bcoles
2019-01-04 "Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (polkit Method)" local linux bcoles
2018-11-21 "Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (ldpreload Method)" local linux bcoles
2019-01-04 "Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (dbus Method)" local linux bcoles
2018-11-21 "Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (cron Method)" local linux bcoles
2019-07-24 "Linux Kernel 4.10 < 5.1.17 - 'PTRACE_TRACEME' pkexec Local Privilege Escalation" local linux bcoles
2019-07-26 "pdfresurrect 0.15 - Buffer Overflow" dos linux j0lama
2019-07-22 "Axway SecureTransport 5 - Unauthenticated XML Injection" webapps linux "Dominik Penner"
2019-07-22 "Comtrend-AR-5310 - Restricted Shell Escape" local linux "AMRI Amine"
2019-07-19 "Docker - Container Escape" local linux dominikczarnotatob
2019-07-22 "BACnet Stack 0.8.6 - Denial of Service" dos linux mmorillo
2019-07-19 "Web Ofisi Firma 13 - 'oz' SQL Injection" webapps linux "Ahmet Ümit BAYRAM"
2019-07-19 "Web Ofisi Rent a Car 3 - 'klima' SQL Injection" webapps linux "Ahmet Ümit BAYRAM"
2019-07-19 "Web Ofisi Firma Rehberi 1 - 'il' SQL Injection" webapps linux "Ahmet Ümit BAYRAM"
2019-07-19 "Web Ofisi Emlak 3 - 'emlak_durumu' SQL Injection" webapps linux "Ahmet Ümit BAYRAM"
2019-07-19 "Web Ofisi Emlak 2 - 'ara' SQL Injection" webapps linux "Ahmet Ümit BAYRAM"
2019-07-19 "Web Ofisi Platinum E-Ticaret 5 - 'q' SQL Injection" webapps linux "Ahmet Ümit BAYRAM"
2019-07-19 "Web Ofisi E-Ticaret 3 - 'a' SQL Injection" webapps linux "Ahmet Ümit BAYRAM"
2019-07-19 "fuelCMS 1.4.1 - Remote Code Execution" webapps linux 0xd0ff9
2019-07-18 "WordPress Plugin OneSignal 1.17.5 - 'subdomain' Persistent Cross-Site Scripting" webapps linux LiquidWorm
2019-07-17 "Oracle Siebel CRM 19.0 - Persistent Cross-Site Scripting" webapps linux "Sarath Nair"
2019-07-17 "Linux - Broken Permission and Object Lifetime Handling for PTRACE_TRACEME" local linux "Google Security Research"
Release Date Title Type Platform Author
2019-06-05 "Exim 4.87 < 4.91 - (Local / Remote) Command Execution" remote linux "Qualys Corporation"
2015-03-18 "Exim - 'GHOST' glibc gethostbyname Buffer Overflow (Metasploit)" remote linux "Qualys Corporation"
2002-07-09 "iPlanet Web Server 4.1 - Search Component File Disclosure" remote multiple "Qualys Corporation"
2018-09-26 "Linux Kernel 2.6.x / 3.10.x / 4.14.x (RedHat / Debian / CentOS) (x64) - 'Mutagen Astronomy' Local Privilege Escalation" local linux "Qualys Corporation"
2018-05-30 "Procps-ng - Multiple Vulnerabilities" local linux "Qualys Corporation"
2017-12-13 "GNU C Library Dynamic Loader glibc ld.so - Memory Leak / Buffer Overflow" local linux "Qualys Corporation"
2017-09-26 "Linux Kernel 3.10.0-514.21.2.el7.x86_64 / 3.10.0-514.26.1.el7.x86_64 (CentOS 7) - SUID Position Independent Executable 'PIE' Local Privilege Escalation" local linux "Qualys Corporation"
2017-06-28 "Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ldso_dynamic Stack Clash' Local Privilege Escalation" local linux_x86 "Qualys Corporation"
2017-06-28 "Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / Fedora 22/25 / CentOS 7.3.1611) - 'ldso_hwcap_64 Stack Clash' Local Privilege Escalation" local linux_x86-64 "Qualys Corporation"
2017-06-28 "Linux Kernel (Debian 7/8/9/10 / Fedora 23/24/25 / CentOS 5.3/5.11/6.0/6.8/7.2.1511) - 'ldso_hwcap Stack Clash' Local Privilege Escalation" local linux_x86 "Qualys Corporation"
2017-06-28 "Linux Kernel - 'offset2lib' Stack Clash" local linux_x86 "Qualys Corporation"
2017-06-28 "OpenBSD - 'at Stack Clash' Local Privilege Escalation" local openbsd "Qualys Corporation"
2017-06-28 "Oracle Solaris 11.1/11.3 (RSH) - 'Stack Clash' Local Privilege Escalation" local solaris_x86 "Qualys Corporation"
2017-06-14 "Sudo 1.8.20 - 'get_process_ttyname()' Local Privilege Escalation" local linux "Qualys Corporation"
2017-06-28 "FreeBSD - 'setrlimit' Stack Clash (PoC)" dos freebsd_x86 "Qualys Corporation"
2017-06-28 "FreeBSD - 'FGPE' Stack Clash (PoC)" dos freebsd_x86 "Qualys Corporation"
2017-06-28 "FreeBSD - 'FGPU' Stack Clash (PoC)" dos freebsd_x86 "Qualys Corporation"
2017-06-28 "NetBSD - 'Stack Clash' (PoC)" dos netbsd_x86 "Qualys Corporation"
2015-07-27 "Libuser Library - Multiple Vulnerabilities" dos linux "Qualys Corporation"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46974/?format=json')
                        {"url": "https://www.nmmapper.com/api/exploitdetails/46974/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46974/41388/exim-487-491-local-remote-command-execution/download/", "exploit_id": "46974", "exploit_description": "\"Exim 4.87 < 4.91 - (Local / Remote) Command Execution\"", "exploit_date": "2019-06-05", "exploit_author": "\"Qualys Corporation\"", "exploit_type": "remote", "exploit_platform": "linux", "exploit_port": null}
                    

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Browse exploit APIBrowse