Shulou(Shulou.com)06/01 Report--

What are the details of the vulnerability in Exim remote command execution? I believe many inexperienced people are at a loss about it. Therefore, this article summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

Overview of 0x00

During a code audit of the latest version changes to the Exim mail server (https://en.wikipedia.org/wiki/Exim), we found a RCE vulnerability with an impact version of 4.87-4.91. But in this RCE vulnerability, RCE refers to remote command (Command) execution, not traditional remote code (Code) execution. An attacker can use the root user identity to perform remote commands via the execv () function.

There are no other restrictions when an attacker uses this vulnerability to launch an attack locally on the server or in a non-default configuration. If the attacker exploits the vulnerability remotely, the attacker must maintain a connection with the server for 7 days (1 byte of data needs to be sent to the server every few minutes). Because the code of Exim is complex, there may be other attacks or simpler and faster attacks.

The vulnerability in Exim occurs in version 4.87 (2016.4.6) because the configuration has been changed from # ifdef EXPERIMENTAL_EVENT to # ifndef DISABLE_EVENT. In older versions, vulnerabilities can also be triggered if the EXPERIMENTAL_EVENT property is manually changed to enable. The vulnerability was fixed in version 4.92.

Recurrence of 0x01 local vulnerabilities

The vulnerability occurs in the deliver_message () function:

If (process_recipients! = RECIP_ACCEPT) {uschar * save_local = deliver_localpart; const uschar * save_domain = deliver_domain; deliver_localpart=expand_string (string_sprintf ("${local_part:%s}", new- > address); deliver_domain = expand_string (string_sprintf ("${domain:%s}", new- > address)) Event_raise (event_action,US "msg:fail:internal", new- > message); deliver_localpart = save_local; deliver_domain = save_domain;}

Because the expand_string () function can recognize the character command in the format of "${run {}}", and new- > address is the address of the recipient of the message, the attacker can send mail locally to "${run {...}} @ localhost". If localhost is the local domain of Exim, the attacker can execute the command with root user privileges. The specific vulnerability triggers are as follows:

John@debian:~$ cat / tmp/idcat: / tmp/id: No such file or directoryjohn@debian:~$ nc 127.0.0.1 25220 debian ESMTP Exim 4.89 Thu, 23 May 2019 09:10:41-0400HELO localhost250 debian Hello localhost [127.0.0.1] MAIL FROM:250 OKRCPT TO:250 AcceptedDATA354 Enter message, ending with "." On a line by itselfReceived: 1Received: 2Received: 3Received: 4Received: 5Received: 6Received: 7Received: 8Received: 9Received: 10Received: 11Received: 12Received: 13Received: 14Received: 15Received: 16Received: 17Received: 18Received: 19Received: 20Received: 21Received: 22Received: 23Received: 24Received: 25Received: 26Received: 27Received: 28Received: 29Received: 30Received: 31.250 OK id=1hTnYa-0000zp-8bQUIT221 debian closing connectionjohn@debian:~$ cat / tmp/idcat: / tmp/id: Permission deniedroot@debian:~# cat / tmp/iduid=0 (root) root (gid=111) ) uid=0 (root) gid=111 (Debian-exim) groups=111 (Debian-exim)

In the example of the trigger vulnerability above:

1. Send "Received:" header data more than the default maximum number of times (30 times) to the mail server, causing the server to execute the vulnerability code from setting process_recipients to RECIP_FAIL_LOOP.

two。 In the test, we bypassed the illegal character detection (blackslashes function) in the recipient address.

0x02 remote vulnerability recurrence

The method triggered by a local vulnerability cannot be used for remote execution because the default configuration in Exim's admission control list states that the local part of the recipient address (the part that precedes the @ symbol) should be the local user.

John@debian:~$ nc 192.168.56.101 25220 debian ESMTP Exim 4.89 Thu, 23 May 2019 10:06:37-0400HELO localhost250 debian Hello localhost [192.168.56.101] MAIL FROM:250 OKRCPT TO:550 Unrouteable address

We finally found a way to trigger the vulnerability remotely, the first way is when the server is not configured by default, and the second is when the server is in the default configuration. The second way is more complex and difficult to trigger.

Non-default configuration

1.Administrator users remove the ACL control list, and local triggering vulnerabilities can also be applied to remote vulnerability triggering.

A label in the 2.Exim configuration that identifies the local portion of the recipient's address ("local_part_suffix = + *:-*"), and an attacker can construct a recipient address of "balrog+$ {run {.}} @ localhost" to trigger the vulnerability (balrog is a local user).

3. If the message is to be relayed to the remote domain in the Exim configuration, the attacker can construct the recipient address of "${run {...}} @ khazad.dum" to trigger the vulnerability (khazad.dum is the domain name of the remote domain in the Exim configuration), because the control list of the Exim server only checks the remote address (the part after the @ symbol) and does not detect the local part.

Default configuration

First of all, we need to use the "rebound" information to solve the user authentication problem of the ACL control list. If the message we send to the mail server cannot reach the recipient, Exim will automatically bounce back a delivery failure message to the sender. In this way, the sender of the message becomes the recipient of the rebound message, so that the command can be executed. Because ACL only checks the domain part of the original sender's address, not the local part.

The rebound message must then pass the process_recipients! = RECIP_ACCEPT check in the vulnerability code. Because we cannot control the head of the rebound message, we cannot repeat it more than 30 times. However, if the rebound message cannot be sent successfully after 7 days, Exim will set process_recipients to RECIP_FAIL_TIMEOUT to execute the vulnerability code.

The final problem that needs to be solved is that the rebound message will be automatically discarded by the server after 2 days, unless the sending of the rebound message is delayed (triggering the temporary sending failure policy), and the resending policy will change the delayed sending address to the failed sending address after 4 days. This causes the server to abandon the discarding operation of the rebound message within 7 days. Here is the specific operation method:

1. We send an email with an unreachable address to the vulnerable Exim server. The recipient address of the email is "postmaster", the sender address is "${run {...}} @ khazad.dum", and khazad.dum is a domain that we can control.

two。 Because the message cannot be delivered, Exim connects to khazad.dum and sends a rebound message to "${run {.}} @ khazad.dum".

In the next 7 days, we need to send 1 byte of data to the server every 4 minutes to maintain a connection with the server.

4. After 7 days, the server returns the send failure message ("550Unrouteable address"), and the rebound message is automatically handed over to post_process_one () for processing. This feature will automatically discard the springback message, but it will not be automatically discarded after it has existed for more than two days.

If (! * sender_address & & message_age > = ignore_bounce_errors_after) setflag (addr, af_ignore_error)

In this case, message_age is not the actual duration of the rebound message (more than 7 days), but the time it takes for the rebound message to be loaded into the Exim server spool, which may only take a few seconds or minutes.

5. Finally, the Exim server reads the rebound information in spool and sets process_recipients to RECIP_FAIL_TIMEOUT, so that message_age is the real existence time of the rebound message, so that you can execute the command "${run {...}} @ khazad.dum".

Note: the duration of timeout_frozen_after and ignore_bounce_errors in the Exim configuration information can be modified during vulnerability testing.

After reading the above, have you mastered the details of the vulnerability in Exim remote command execution? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.