exim security exploits – Exim < 4.86.2 - Privilege Escalation - how to update exim on debian

06.Aug.2017

Administration / Server, Cybercrime, CyberSec / ITSec / Sicherheit / Security / SPAM, Mail / Communication / Groupware

exim is one of the most used MTAs on mail-enabled servers on the internet and default on Debian/Ubuntu(?).

Original author(s)	Philip Hazel (started 1995)
Developer(s)	The Exim Maintainers

Thus you can expect hackers, crackers and NSA to target it.

Exim < 4.86.2 – Privilege Escalation

exim --version; # check your exim version

The available version of Exim on debian stable is 4.84.2-2, you can easily upgrade the version to version 4.89 by installing the needed package from backports through the following steps, run:

echo "deb http://ftp.debian.org/debian jessie-backports main" >> /etc/apt/sources.list
echo "deb http://httpredir.debian.org/debian jessie-backports main contrib non-free" >> /etc/apt/sources.list

apt-get update
apt-get remove exim4
apt-get -t jessie-backports install exim4

You can install a even more recent version from testing using apt-pinning way but it is not recommanded because you can break some dependencies.

(src: https://stackoverflow.com/questions/40781547/how-to-install-latest-stable-eximrspamd-version)

“This vulnerability could be exploited by attackers who have local access to the
system to escalate their privileges to root which would allow them to fully
compromise the system.”

“To exploit this setting and gain the effective root privilege of the SUID binary,
attackers can inject PERL5OPT perl environment variable, which does not get
cleaned by affected versions of Exim.”

https://www.exploit-db.com/exploits/39549/

what version of mail server you are running you can test with telnet connecting to the SMTP port of your server:

telnet domain.com 25
# or
telnet domain.com 587

some examples:

Connection closed by foreign host.
user@debian9:~$ telnet mx.freenet.de 587
Trying 195.4.92.211...
Connected to mx.freenet.de.
Escape character is '^]'.
220 mx0.freenet.de ESMTP Exim 4.85 Thu, 06 Jul 2017 11:27:46 +0200
^C
quit
Connection closed by foreign host.
user@debian9:~$ telnet mail.gmx.net 587
Trying 212.227.17.190...
Connected to mail.gmx.net.
Escape character is '^]'.
220 gmx.com (mrgmx002) Nemesis ESMTP Service ready
quit
221 gmx.com Service closing transmission channel
Connection closed by foreign host.
user@debian9:~$ telnet mail.your-server.de 587; # hetzner
Trying 78.46.5.205...
Connected to mail.your-server.de.
Escape character is '^]'.
220 sslproxy02.your-server.de ESMTP Exim 4.84_2 Thu, 06 Jul 2017 11:29:00 +0200
quit
221 sslproxy02.your-server.de closing connection
Connection closed by foreign host.

PS: All Cisco devices have NSA-backdoors factory build-in… have PHUN! 😀

Videos: Mail Server Conference Berlin 2009

liked this article?

only together we can create a truly free world
plz support dwaves to keep it up & running!
(yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
really really hate advertisement
contribute: whenever a solution was found, blog about it for others to find!
talk about, recommend & link to this blog and articles
thanks to all who contribute!

admin