Re: [exim] [oss-security] Exim CVE-2019-16928 RCE using a heap-based buffer overflow
Hi there, After you've rev-iewed all these documents, we can -easily talk abou-t the following steps: This very much looks like thread hijacking used by emotet-successor type malware: Quote message from hijacked mailbox, reply to original sender with malware link but from a different sender address. Somebody that received the original message has/has a malware infection. Kind regards, Peter smime.p7s Description: S/MIME Cryptographic Signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] [oss-security] Exim CVE-2019-16928 RCE using a heap-based buffer overflow
Hi folks,
this message
Heiko Schlittermann via Exim-users (Mo 16 Mai 2022
18:21:30 CEST):
>Hello there,
>After you've rev-iewed all these documents, we can -easily talk abou-t
>the following steps:
…
>2019-09-28 Release 4.92.3, Release-Announcements to
>exim-{announce,users,maintainers}, oss-security
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
wasn't sent by me. If I'm not mistaken, then there was nothing wrong
with he message (From: doesn't use *my* domain, Sender didn't use *my*
domain, they just abused my display name (not even sure about this,
nobody can tell if there isn't a duplicate of my natural name ;).)
Unfortunately mailman cuts away the addresses (to allow passing DMARC
checks on your end).
Authentication-Results: exim.org;
iprev=pass (srv16-61.benzahosting.cl) smtp.remote-ip=131.72.236.61;
spf=pass smtp.mailfrom=segurytech.cl;
dkim=pass header.d=segurytech.cl header.s=default
header.a=rsa-sha256;
dmarc=none header.from=segurytech.cl; arc=none
Received: from srv16-61.benzahosting.cl ([131.72.236.61]:56041)
by hummus.exim.org with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384
(Exim 4.94.2-31-g503e55a2c) (envelope-from )
id 1nqdUG-0005f4-3N
for exim-users@exim.org; Mon, 16 May 2022 16:22:26 +
Received: from [204.138.26.219] (port=36586 helo=srv16.benzahosting.cl)
by srv16.benzahosting.cl with esmtpsa (TLS1.3) tls
TLS_AES_128_GCM_SHA256
(Exim 4.95) (envelope-from )
id 1nqdTV-00EfP2-6f for exim-users@exim.org;
Mon, 16 May 2022 12:21:36 -0400
Date: Mon, 16 May 2022 08:21:30 -0800
X-Priority: 3 (Normal)
To: exim-users@exim.org
Message-ID: <5quvqrbobunhvyiplqb5x6nms4oxf...@segurytech.cl>
So Exim on Hummus didn't have any chance to detect the fake.
We we need to re-think which of our mailing lists will be closed.
BTW, message from me are GPG signed. Always. And if not, then please do
not trust the message.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] [oss-security] Exim CVE-2019-16928 RCE using a heap-based buffer overflow
Hello there,
After you've rev-iewed all these documents, we can -easily talk abou-t
the following steps:
https://gachthefree.ga/loci/eiantmev199333608
https://onedrive.live.com/download?cid=U4CQ9MH4G9SZ79GE=U4CQ9MH4G
9SZ79GE%27854=4okpM9ufCr8w-sV
** Exim 4.92.3 released (security release) ** CVE ID: CVE-2019-16928
Date: 2019-09-27 (CVE assigned) Version(s): from 4.92 up to and
including 4.92.2 Reporter: QAX-A-TEAM Reference:
bugs.exim.org/show_bug.cgi?id=2449 Issue: Heap-based buffer overflow in
string_vformat, remote code execution seems to be possible Conditions
to be vulnerable === All versions from (and
including) 4.92 up to (and including) 4.92.2 are vulnerable. Details
=== There is a heap-based buffer overflow in string_vformat
(string.c). The currently known exploit uses a extraordinary long EHLO
string to crash the Exim process that is receiving the message. While
at this mode of operation Exim already dropped its privileges, other
paths to reach the vulnerable code may exist. Mitigation ==
There is - beside updating the server - no known mitigation. Fix ===
Download and build the fixed version 4.92.3 Tarballs:
ftp.exim.org/pub/exim/exim4/ Git: github.com/Exim/exim.git (mirror)
git://git.exim.org/exim.git - tag exim-4.92.3 - branch
exim-4.92.3+fixes The tagged commit is the officially released version.
The +fixes branch isn't officially maintained, but contains the
security fix *and* useful fixes. The tarballs, the Git tag, and the Git
commits are signed with my GPG key (same as I used to sign this mail.)
If you can't install the above versions, ask your package maintainer
for a version containing the backported fix. On request and depending
on our resources we will support you in backporting the fix. (Please
note, the Exim project officially doesn't support versions prior the
current stable version.) Timeline = - 2019-09-27 Report as Bug
2499 - 2019-09-28 Announcement to exim-maintainers, oss-security -
2019-09-28 Release 4.92.3, Release-Announcements to
exim-{announce,users,maintainers}, oss-security
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] [oss-security] Exim CVE-2019-16928 RCE using a heap-based buffer overflow
** Exim 4.92.3 released (security release) **
CVE ID: CVE-2019-16928
Date: 2019-09-27 (CVE assigned)
Version(s): from 4.92 up to and including 4.92.2
Reporter: QAX-A-TEAM
Reference: https://bugs.exim.org/show_bug.cgi?id=2449
Issue: Heap-based buffer overflow in string_vformat,
remote code execution seems to be possible
Conditions to be vulnerable
===
All versions from (and including) 4.92 up to (and including) 4.92.2 are
vulnerable.
Details
===
There is a heap-based buffer overflow in string_vformat (string.c).
The currently known exploit uses a extraordinary long EHLO string to
crash the Exim process that is receiving the message. While at this
mode of operation Exim already dropped its privileges, other paths to
reach the vulnerable code may exist.
Mitigation
==
There is - beside updating the server - no known mitigation.
Fix
===
Download and build the fixed version 4.92.3
Tarballs: https://ftp.exim.org/pub/exim/exim4/
Git: https://github.com/Exim/exim.git (mirror)
git://git.exim.org/exim.git
- tagexim-4.92.3
- branch exim-4.92.3+fixes
The tagged commit is the officially released version. The +fixes branch
isn't officially maintained, but contains the security fix *and* useful
fixes.
The tarballs, the Git tag, and the Git commits are signed with my GPG
key (same as I used to sign this mail.)
If you can't install the above versions, ask your package maintainer for
a version containing the backported fix. On request and depending on our
resources we will support you in backporting the fix. (Please note,
the Exim project officially doesn't support versions prior the current
stable version.)
Timeline
=
- 2019-09-27Report as Bug 2499
- 2019-09-28Announcement to exim-maintainers, oss-security
- 2019-09-28Release 4.92.3, Release-Announcements to
exim-{announce,users,maintainers}, oss-security
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
