Millions of Exim mail servers are exposed to attacks due to a critical vulnerability that makes it possible for unauthenticated remote attackers to execute arbitrary commands.

A critical vulnerability affects versions 4.87 to 4.91 of the Exim mail transfer agent (MTA) software. The flaw could be exploited by unauthenticated remote attackers to execute arbitrary commands on mail servers for some non-default server configurations.

The vulnerability, tracked as CVE-2019-10149, resides in the deliver_message() function in /src/deliver.c and it is caused by the improper validation of recipient addresses. The issue could lead to remote code execution with root privileges on the mail server.

“In this particular case, RCE means Remote *Command* Execution, not Remote Code Execution: an attacker can execute arbitrary commands with execv(), as root; no memory corruption or ROP (Return-Oriented Programming) is involved.” reads the security advisory published by Qualys. “This vulnerability is exploitable instantly by a local attacker (and by a remote attacker in certain non-default configurations).”

The CVE-2019-10149 flaw was called ‘The Return of the WIZard,” a reference to Sendmail’s ancient WIZ and DEBUG vulnerabilities.

The flaw is easily exploitable by a local and a remote attacker in certain non-default configurations, experts believe that threat actors will start using it in attacks in the wild.

Experts explained that in order to remotely exploit this vulnerability in the default configuration, an attacker must keep a connection to the vulnerable server open for 7 days. It is necessary to transmit one byte every few minutes, however, the experts cannot guarantee that this exploitation method is unique.

Experts pointed out that the following non-default Exim configurations could be easily exploited by a remote attacker:

If the “verify = recipient” ACL was removed manually by an administrator (maybe to prevent username enumeration via RCPT TO), then our local-exploitation method also works remotely.

If Exim was configured to recognize tags in the local part of the recipient’s address (via “local_part_suffix = +* : -*” for example), then a remote attacker can simply reuse our local-exploitation method with an RCPT TO “balrog+${run{…}}@localhost” (where “balrog” is the name of a local user).

If Exim was configured to relay mail to a remote domain, as a secondary MX (Mail eXchange), then a remote attacker can simply reuse our local-exploitation method with an RCPT TO “${run{…}}@khazad.dum” (where “khazad.dum” is one of Exim’s relay_to_domains). Indeed, the “verify = recipient” ACL can only check the domain part of a remote address (the part that follows the @ sign), not the local part.

The CVE-2019-10149 flaw was addressed the Exim’s development team with the release of version 4.92 in February. Unfortunately, a large number of operating systems are still affected by the vulnerability.

Querying Shodan for vulnerable versions of Exim it is possible to find 4,353,180 installs most of them in the United States (2,462,098).

Searching for patched Exim installs running the 4.92 release we can find 1,071,818 systems.

Pierluigi Paganini

(SecurityAffairs – Exim, hacking)