In Exim mail server critical (), which can lead to remote code execution on the server with root rights when processing a specially crafted request. The possibility of exploitation of the problem was noted in versions from 4.87 to 4.91 inclusive or when building with the EXPERIMENTAL_EVENT option.
In the default configuration, the attack can be carried out without unnecessary complications by a local user, since the "verify = recipient" ACL is applied, which performs additional checks for external addresses. A remote attack can occur when settings are changed, such as acting as a secondary MX for another domain, removing the "verify=recipient" ACL, or certain changes to local_part_suffix). A remote attack is also possible if the attacker is able to keep the connection to the server open for 7 days (for example, sending one byte per minute to bypass a timeout). At the same time, it is possible that there are simpler attack vectors for remote exploitation of the problem.
The vulnerability is caused by incorrect verification of the recipient's address in the deliver_message() function defined in the /src/deliver.c file. By manipulating the address formatting, an attacker can achieve the substitution of his data into the arguments of a command called through the execv() function with root rights. Operation does not require the use of complex techniques used for buffer overflows or memory corruption; simple character substitution is sufficient.
The problem is related to the use of the construct for address conversion:
deliver_localpart = expand_string(
string_sprintf("${local_part:%s}", new->address));
deliver_domain = expand_string(
string_sprintf("${domain:%s}", new->address));
The expand_string() function is an overcomplicated combiner, including recognizing the command β${run{command arguments}β, which leads to the launch of an external handler. Thus, to attack within an SMTP session, a local user only needs to send a command like 'RCPT TO βusername+${run{...}}@localhostβ', where localhost is one of the hosts from the local_domains list, and username is the name of an existing local user.
If the server works as a mail relay, it is enough to remotely send the command 'RCPT TO "${run{...}}@relaydomain.com"', where relaydomain.com is one of the hosts listed in the relay_to_domains settings section. Since Exim does not default to drop privilege mode (deliver_drop_privilege = false), commands passed via "${run{...}}" will be executed as root.
It is noteworthy that the vulnerability was in the 4.92 release released in February, without emphasizing that the fix might lead to security problems. There is no reason to believe that there was a deliberate concealment of the vulnerability by the Exim developers, since the problem was fixed during failure that occurs when incorrect addresses are transmitted, and the vulnerability was identified by Qualys during an audit of changes in Exim.
A fix for previous versions that continue to be used in distributions is currently only available as . Corrective releases for previous branches to fix the problem are scheduled for June 11th. Package updates are ready for , , . ΠΈ They supply version 4.92, in which the problem does not appear. RHEL and CentOS problem , since Exim is not included in their regular package repository.
Source: opennet.ru