Am 05.06.19 um 17:17 schrieb Heiko Schlittermann via Exim-users: > The fix for CVE-2019-10149 is public now. >
As the Advisiory is a bit unspecific for a protection, shouldn't a check for "$" in deny message = Restricted characters in address domains = +local_domains local_parts = ^[.] : ^.*[\$@%!/|] and the none local domains block, prevent such an attack on any version? Like in this working example i executed 10 minutes ago: [root@c1 ~]# nc 127.0.0.1 25 220 mytestserver.de ESMTP Exim 4.90_1 Thu, 06 Jun 2019 12:50:11 +0200 HELO d1.ret.de 250 mytestserver.de Hello localhost [127.0.0.1] MAIL FROM: <[email protected]> 250 OK RCPT TO: <${run{id}}@mytestserver.de> 550 Restricted characters in address Tested on a live server. The advisory also says : /Because expand_string() recognizes the "${run{<command> <args>}}" expansion item, and because new->address is the recipient of the mail that is being delivered, //*a local attacker can simply send a mail to "${run{...}}@...alhost" (where "localhost" is one of Exim's local_domains)*//and execute arbitrary commands, as root (deliver_drop_privilege is false, by default):/// I did this, and nothing happend in an unprotected server config. strace did not show an execution of the given command at all. Is it possible/pausible that fedora build it with "DISABLE_EVENT" defined, so the vulnerable code is not in there? any way to check that ( did not find the show compile settings on the web ) ? -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
