In Exim mail server
In the default configuration, the attack can be carried out without unnecessary complications by a local user, since the "verify = recipient" ACL is applied, which performs additional checks for external addresses. A remote attack can occur when settings are changed, such as acting as a secondary MX for another domain, removing the "verify=recipient" ACL, or certain changes to local_part_suffix). A remote attack is also possible if the attacker is able to keep the connection to the server open for 7 days (for example, sending one byte per minute to bypass a timeout). At the same time, it is possible that there are simpler attack vectors for remote exploitation of the problem.
The vulnerability is caused by incorrect verification of the recipient's address in the deliver_message() function defined in the /src/deliver.c file. By manipulating the address formatting, an attacker can achieve the substitution of his data into the arguments of a command called through the execv() function with root rights. Operation does not require the use of complex techniques used for buffer overflows or memory corruption; simple character substitution is sufficient.
The problem is related to the use of the construct for address conversion:
deliver_localpart = expand_string(
string_sprintf("${local_part:%s}", new->address));
deliver_domain = expand_string(
string_sprintf("${domain:%s}", new->address));
The expand_string() function is an overcomplicated combiner, including recognizing the command β${run{command arguments}β, which leads to the launch of an external handler. Thus, to attack within an SMTP session, a local user only needs to send a command like 'RCPT TO βusername+${run{...}}@localhostβ', where localhost is one of the hosts from the local_domains list, and username is the name of an existing local user.
If the server works as a mail relay, it is enough to remotely send the command 'RCPT TO "${run{...}}@relaydomain.com"', where relaydomain.com is one of the hosts listed in the relay_to_domains settings section. Since Exim does not default to drop privilege mode (deliver_drop_privilege = false), commands passed via "${run{...}}" will be executed as root.
It is noteworthy that the vulnerability was
A fix for previous versions that continue to be used in distributions is currently only available as
Source: opennet.ru