The fault touch Exim version 4.87 to 4.91 and is do by improper establishment of telephone receiver adresses in /src / deliver.c in the give birth message ) ( purpose that extend to RCE on the chain mail server with settle compensate . “ RCE think remote execution of instrument of * instruction * , not outback capital punishment of cypher : an attacker can action arbitrary command with execv ) ( ascendant ; no retentivity rottenness or ROP ( hark back - orientate Programming ) is regard , ” sound out Qualys , an kit that notice and account the vulnerability . offset qualys freescan download to fit vulnerablity As the research team up at Qualys too allege , the Exim blemish “ is two-fold exploitable in topical anesthetic and non - default option sheath ; ” potency attacker necessitate to operate rather sort of than former .
# # point of Exim RCE vulnerability
The CVE-2019 - 10149 exposure can be immediately put-upon as decisive and “ by a topical anesthetic attacker ( and a distant assailant in sealed default on constellation ) . ” The keep an eye on not - nonremittal Exim conformation are soft to exercise remotely according to Qualys :
If the “ aver = receiver ” ACL was polish off manually by an administrator ( mayhap to foreclose username count via RCPT TO ) , then our local anaesthetic - using method besides deeds remotely . If Exim was configure to accredit tag in the local partially of the receiver ’s deal ( via “ local_part_suffix = + * : - * ” for case ) , then a removed assaulter can just recycle our local anaesthetic - exploitation method with an RCPT TO “ balrog+${run{ … }}@ … alhost ” ( where “ balrog ” is the public figure of a local anaesthetic substance abuser ) . If Exim was configured to relay get off to a distant arena , as a lowly MX ( Mail eXchange ) , and then a outback assailant can but recycle our local anesthetic - exploitation method with an RCPT TO “ $ { run{…}}@…zad.dum ” ( where “ khazad.dum ” is one of Exim ’s relay_to_domains ) . so , the “ swear = recipient ” ACL can exclusively agree the world partly of a remote deal ( the persona that adopt the @ sign ) , not the local anesthetic break .
It is more rarify to remotely exploit the nonpayment fault on vulnerable host and necessitate loyalty , because attempt “ must take the link to the vulnerable host spread out for seven solar day ( by send out one byte a few hour ) , ” consultative Qualys suppose . Qualys order . “ Because Exim ’s encipher is super composite we can not , still , vouch that the method acting of using is unparalleled ; degenerate method acting might exist . ”
The estimate enumerate of vulnerable get off server per land The CVE-2019 - 10149 tease was piece by Exim ’s developer on February 10 in edition 4.92 , although “ the pester was not identified at that fourth dimension as a surety vulnerability ” and thus well-nigh of the manoeuver organization are pretend . grant to a Shodan warm hunting , vulnerable Exim variation are presently functional on roughly 4,800,000 motorcar , with over 588,000 waiter hightail it the spotted Exim 4.92 unloose . Researcher have make “ The WIZard Return ” blemish CVE-2019 - 10149 , colligate it to the 1999 whizz and debug break , which too enable attacker to consort etymon command on waiter hightail it the vulnerable version of the Sendmail mail transport agentive role .
