New Exim code-execution security hole discovered
December 12, 2010
Exim's server email software maintainers have warned of an in-the-wild attack that allows miscreants and potential hackers to execute malicious code with full and complete system privileges by exploiting a security hole in older versions of the open-source mail transfer agent.
The RAM-corruption vulnerability resides in Exim's version 4.69 and earlier versions, and already has been used in at least one attack that was reported to completely root an enterprise mail server.
Internet security experts have sounded the alarm because the security vulnerability is remotely exploitable and is already being used maliciously. Worse, attack code has also been added to the Metasploit exploitation kit, making it easy for others to reproduce the attack, causing even more havoc.
Maintainers for the Debian, Ubuntu and Red Hat distributions of Linux have already issued security patches, and their counterparts for other distributions are sure to follow very soon as well. The most reliable fix is to update to version 4.7.
Exim maintainer David Woodhouse has compiled a list of other options and short-term fixes as well.
In Exim version 4.7, the security vulnerability was patched more than two years ago, but the fix was never identified as a security patch so it was never applied to older versions, which are still in wide use today. The security flaw is exploited by sending vulnerable systems a message with maliciously crafted headers and a 50 Mb payload attached to the email. When it gets rejected for being too large and logged, the headers exploit a buffer overflow bug, causing the cascading exploit to execute itself on the server.
The code-execution attack works in concert with a privilege-escalation vulnerability that results when admins want to use multiple configuration files, a popular option that offers convenience and flexibility in some cases.
Exim is now recommending that option be turned off so that root privileges are required to override the default configuration file.
“It doesn't get much worse than remote code execution as root,” said Dan Rosenberg, a security consultant for Virtual Security Research. “You can just run your exploit on the network and execute code. You don't need any user interaction at all.”
And although the in-the-wild attack wasn't reported until early on Dec. 8, it wasn't until Dec. 10 that Exim maintainers were able to successfully reproduce the exploit.
“And it also depends on hitting certain buffer sizes of exactly the right length. The 2008 security patch was never backported because the security implications didn't occur to those who were dealing with it at the time. Obviously, someone did look at it, and saw it as an opportunity,” added Rosenberg.
The overlooked security flaw is a cautionary tale about the dangers of fixing security holes and then failing to issue explicit advisories to the Internet community.
“It really underscores the importance of singling out security issues and publicizing them as such,” Rosenberg said. “Otherwise, this sort of thing can happen again and again.”
Source: Virtual Security Research.
You can link to the Internet Security web site as much as you like.