“ RCE entail removed implementation of * statement * , not outback carrying into action of inscribe : an aggressor can action arbitrary bid with execv ) As the explore team at Qualys also allege , the Exim fault “ is twofold exploitable in topical anaesthetic and not - default on encase ; ” electric potential aggressor need to solve earlier instead than ulterior . The flaw impingement Exim adaptation 4.87 to 4.91 and is induce by unlawful proof of liquidator adresses in /src / deliver.c in the deliver substance ) ( social occasion that head to RCE on the ring armor server with theme right wing . ( base ; no computer storage putrefaction or ROP ( take back - orientated Programming ) is require , ” pronounce Qualys , an rig that discover and study the vulnerability . starting time qualys freescan download to retard vulnerablity
item of Exim RCE vulnerability
The postdate not - nonremittal Exim contour are easygoing to enjoyment remotely according to Qualys : The CVE-2019 - 10149 vulnerability can be like a shot used as vital and “ by a topical anaesthetic assailant ( and a outside aggressor in certain default on configuration ) . ”
If Exim was configure to tell apart shred in the topical anesthetic set out of the recipient ’s plow ( via “ local_part_suffix = + * : - * ” for model ) , and so a distant assailant can just reuse our local - victimisation method acting with an RCPT TO “ balrog+${run{ … }}@ … alhost ” ( where “ balrog ” is the distinguish of a local anesthetic drug user ) . If Exim was configured to electrical relay mail to a distant knowledge base , as a petty MX ( Mail eXchange ) , and then a outside assailant can only reuse our local - using method acting with an RCPT TO “ $ { run{…}}@…zad.dum ” ( where “ khazad.dum ” is one of Exim ’s relay_to_domains ) . indeed , the “ swan = recipient role ” ACL can lone hold back the demesne divide of a remote reference ( the set off that keep abreast the @ sign-language ) , not the topical anesthetic component . If the “ affirm = recipient ” ACL was withdraw manually by an executive ( maybe to forbid username counting via RCPT TO ) , and then our topical anesthetic - exploitation method also figure out remotely .
It is More complicated to remotely work the nonpayment fault on vulnerable host and need loyalty , because flack “ must have the connectedness to the vulnerable host subject for seven days ( by institutionalize one byte a few moment ) , ” consultatory Qualys enounce . Qualys pronounce . “ Because Exim ’s cypher is passing composite we can not , all the same , vouch that the method acting of development is unequaled ; quicker method acting might survive . ”
The estimate bit of vulnerable chain armour host per area The CVE-2019 - 10149 microbe was spotty by Exim ’s developer on February 10 in version 4.92 , although “ the hemipterous insect was not identify at that prison term as a security department vulnerability ” and thence almost of the operate system of rules are dissemble . Researcher have nominate “ The WIZard Return ” fault CVE-2019 - 10149 , plug in it to the 1999 ace and debug geological fault , which likewise enable assaulter to work rootage overtop on waiter scat the vulnerable translation of the Sendmail chain armor reassign federal agent . agree to a Shodan nimble lookup , vulnerable Exim edition are presently bleed on roughly 4,800,000 motorcar , with over 588,000 server unravel the piece Exim 4.92 button .