Remote Exim Exploit In the Wild

An anonymous reader sends word of a remote exploit in the wild against the Exim mail agent. The news comes on the exim mailing list, where a user posted that he had his exim install hacked via remote exploit giving the attacker the privilege of the mailnull user, which can lead to other possible attacks. A note up at the Internet Storm Center reminds exim users how to set up to run in unprivileged mode, and a commenter includes recompile instructions for Debian exim for added safety. The security press hasn't picked up on this story so far.

Re:Welcome back, kdawson

[Spyware23]

This isn't FUD. http://www.exim.org/lurker/message/20101209.150448.ee9f5ce6.en.html

Was fixed in 4.70 according to Mailing List

[gQuigs]

http://www.exim.org/lurker/message/20101210.071922.233697ac.en.html

"Paul Fisher and I have successfully run the exploit against a copy of
Exim running in a debugger on debian lenny, and we believe it utilizes
this bug:

http://bugs.exim.org/show_bug.cgi?id=787

It was fixed in 4.70, but not in the version currently in debian
stable.

James E. Blair
UC Berkeley"

Re:Was fixed in 4.70 according to Mailing List

[John+Hasler]

It was fixed in 4.70, but not in the version currently in debian stable.

Debian has released a DSA and a fixed version for Stable. See Debian Security Advisory DSA-2131-1 and Debian Security .

Re:Was fixed in 4.70 according to Mailing List

[Rockoon]

Security through obscurity.

Re:Was fixed in 4.70 according to Mailing List

[MobileTatsu-NJG]

Boring target.

Re:Was fixed in 4.70 according to Mailing List

[asdfghjklqwertyuiop]

It wasn't specifically reported as a security bug 2 years ago which is probably why the fix wasn't backported to debian. Someone probably went through the bug reports looking for a potential security bug that wasn't recognized as such and developed an exploit.

Re:Was fixed in 4.70 according to Mailing List

[B'Trey]

Link for the above DSA: http://lists.debian.org/debian-security-announce/2010/msg00181.html

Re:First comment!

[clang_jangle]

It is to the four people who actually succeeded at getting exim to run.

cPanel

[bsDaemon]

Exim is the MTA that cPanel-enabled servers use, so there is quite a large install base, particularly in the consumer-oriented web hosting space. Except a brief run of ha-ha before the mail spools get moved off to their own partition which is mounted no-exec.

Re:cPanel

[mpol]

Whoops, apparently there's just an update released today. With a different fix it seems.
http://forums.cpanel.net/f185/case-45290-exim-0-day-178281.html

Re:cPanel

[Hatta]

If you have a shell, what's the point of running a shell script? 'sh ./test.sh' doesn't allow you to do anything that you can't do from the shell itself. How would you use that to run arbitrary binaries from a noexec partition?

Debian patched it today

[domatic]

Debian released patches this morning for it.

exim4 (4.69-9+lenny1) stable-security; urgency=high

    * Non-maintainer upload by the Security Team.
    * Fix SMTP file descriptors being leaked to processes invoked with ${run...}
    * Fix memory corruption issue in string_format(). CVE-2010-4344
    * Fix potential memory pool corruption issue in internal_lsearch_find().

  -- Stefan Fritsch Fri, 10 Dec 2010 13:25:07 +0100

Re:First comment!

[Monkeedude1212]

Yeah but the people who use Debian know they've got it rough enough and don't need to rub it in using Exim.

Re:There IS some idiocy in FOSS at times ...

[Raenex]

Stop whining about your karma, and learn to format paragraphs.

Re:First comment!

[Profane+MuthaFucka]

I use Exim. I have great clanking balls.

Wow ... "Electric Fence spotted this problem"

[Kaz+Kylheku]

Welcome to the early 1990's of memory debugging.

That string_format problem is incredibly shameful this day and age, too.

You know what? I think I'm going to run my exim4 installation under Valgrind, set to terminate at the first memory error.

(Will I still get any e-mail?)

Exim hate

[Curunir_wolf]

I don't really get all the hate for Exim. I've been using it exclusively on mail servers for about 10 years, and I've never had a problem. I do remember going through a lot of reading and learning (and sometimes experimenting) the first few times I set it up (and of course when implementing a major feature change). But, for me, the task was less daunting than the alternatives. I don't really remember whether postfix was one of those alternatives I explored at the time, but now that I'm familiar with Exim, I see no reason to change.

Re:Exim hate

[caseih]

Sendmail has one redeeming feature: milters. Postfix is only now starting to support sendmail-compatible milter filters. The ability to filter and discard spam at the connection level is, my opinion, better and cleaner than hackish solutions like amavisd.

Milters?

[dwmw2]

Whereas Exim doesn't *need* milters because it's sufficiently capable all by itself.

I once had a Postfix advocate look over my Exim config to see if he make Postfix do what Exim can do. He gave up.

Sure glad all my servers run Sendmail

[dskoll]

Bet you never thought you'd read that in response to a security announcement. :)