On Fri, 5 May 2017, [email protected] wrote:
https://bugs.exim.org/show_bug.cgi?id=2118
--- Comment #5 from Heiko Schlittermann <[email protected]> ---
(In reply to Sandor Takacs from comment #0)
I found this WordPress + Exim remote code execution exploit on exploit-db
site. It uses "exim -be '${run...}'" to place payload on the remote system.
https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-
10033.html
It's remote character is a Wordpress problem. A remote attacker can run
commands on the Wordpress site. Exim is one of the commands, but not the only
one. Probably an attacker can even run "cat", "touch" and so on. Where is the
vulnerability? Are "cat", "touch", and so on, no vulnerable? Or is Wordpress
vulnerable?
I'm guessing that the exim/sendmail command name is set in the
wordpress config and not under the hacker's control.
This "exploit" hides the "/" (and any other character that can be
reliably got from exim -be) from whatever sanity checking wordpress
is doing on the command-line args.
That is a genuine (though small) increase in exposure
but it is not a problem of exim,
but of wordpress + exim being more than the sum of the two parts.
Perhaps, exim could have a config option to disable -be and ${run}
for use in situations when its command line options are untrustworthy,
but that is being nice and covering someone-else's back.
--
Andrew C Aitchison
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim
details at http://www.exim.org/ ##
