(Back) Slasher: RCE Horrors in Exim

September 10, 2019

Last week, a buffer overflow vuln, deemed CVE-2019-15846, was announced in Exim that allowed remote code execution (RCE) via a trailing backslash, perhaps like a blade-wielding ghost stalking you after being summoned to murder you (it’s never too early for Spooktober vibes). Exim is an open source mail transfer agent shipped with most Linux distros, so any Linux distro shipping Exim pre-4.92.2 is affected.

Why it’s cool: This bug allows for pre-authentication RCE to gain root privileges, which is dope in itself. Pre-auth RCE is extra leet since it means the user doesn’t even have to be logged into Exim for the attacker to exploit the bug. The attack just requires the Exim server to accept TLS connections (regardless of the TLS library), and given any security team worth their salt should be using TLS, that means basically every Exim instance in enterprises will be vulnerable. 

Digging deeper: The heap overflow bug is within the string_interpret_escape() function within the SMTP delivery process. Heap overflows are a type of buffer overflow, in which attackers overwrite memory regions allocated by a function like malloc() in the heap. Exploitation of this bug works by connecting to Exim with TLS and sending a Server Name Indication (SNI) that ends with backslash-NULL. Then, the backslash-NULL bug is exploited in string_interpret_escape(), in which the supplied SNI leads to an out-of-bounds read turning into an out-of-bounds-write.

This heap overflow is used to overwrite the header of a free memory chunk and increase its size to overlap with already-allocated chunks. Then, this new heckin’ memory chonker is used to overwrite the heap with arbitrary data. From there, the attacker could, for instance, overwrite a file path stored on the heap to write to /etc/passwd and add a new user, as Qualys outlined. But you could also replace sshd to capture creds, add cron jobs, or perform other nefarious tricks. It’s possible this bug possesses the potential for full arbitrary code execution (aka “shellcode”), though that remains to be seen.

The bottom line: You may want to hit the panic button if you don’t have a proper patching process in place — a pre-auth RCE can even be tempting for unmotivated attackers. Thankfully, Debian and Ubuntu have fixes out, else you should download and build the fixed version of Exim ASAP. The only other workaround is to disable TLS, which we definitely don’t recommend.

Capsule8 customers don’t have to hit the panic button, as we have multiple ways to detect exploitation of this vuln, even if someone tries to turn this into arbitrary code execution (not just file overwrites). Ask your customer rep or contact us to learn more.

The Capsule8 Labs team conducts offensive and defensive research to understand the threat landscape for modern infrastructure and to continuously improve Capsule8’s attack coverage.