Last week, a buffer overflow vuln, deemed CVE-2019-15846, was announced in Exim that allowed remote code execution (RCE) via a trailing backslash, perhaps like a blade-wielding ghost stalking you after being summoned to murder you (it’s never too early for Spooktober vibes). Exim is an open source mail transfer agent shipped with most Linux distros, so any Linux distro shipping Exim pre-4.92.2 is affected.
Why it’s cool: This bug allows for pre-authentication RCE to gain root privileges, which is dope in itself. Pre-auth RCE is extra leet since it means the user doesn’t even have to be logged into Exim for the attacker to exploit the bug. The attack just requires the Exim server to accept TLS connections (regardless of the TLS library), and given any security team worth their salt should be using TLS, that means basically every Exim instance in enterprises will be vulnerable.
Digging deeper: The heap overflow bug is within the
string_interpret_escape() function within the SMTP delivery process. Heap overflows are a type of buffer overflow, in which attackers overwrite memory regions allocated by a function like
malloc() in the heap. Exploitation of this bug works by connecting to Exim with TLS and sending a Server Name Indication (SNI) that ends with backslash-NULL. Then, the backslash-NULL bug is exploited in
string_interpret_escape(), in which the supplied SNI leads to an out-of-bounds read turning into an out-of-bounds-write.
This heap overflow is used to overwrite the header of a free memory chunk and increase its size to overlap with already-allocated chunks. Then, this new heckin’ memory chonker is used to overwrite the heap with arbitrary data. From there, the attacker could, for instance, overwrite a file path stored on the heap to write to
/etc/passwd and add a new user, as Qualys outlined. But you could also replace
sshd to capture creds, add
cron jobs, or perform other nefarious tricks. It’s possible this bug possesses the potential for full arbitrary code execution (aka “shellcode”), though that remains to be seen.
The bottom line: You may want to hit the panic button if you don’t have a proper patching process in place — a pre-auth RCE can even be tempting for unmotivated attackers. Thankfully, Debian and Ubuntu have fixes out, else you should download and build the fixed version of Exim ASAP. The only other workaround is to disable TLS, which we definitely don’t recommend.
Capsule8 customers don’t have to hit the panic button, as we have multiple ways to detect exploitation of this vuln, even if someone tries to turn this into arbitrary code execution (not just file overwrites). Ask your customer rep or contact us to learn more.
The Capsule8 Labs team conducts offensive and defensive research to understand the threat landscape for modern infrastructure and to continuously improve Capsule8’s attack coverage.
Kelly Shortridge is currently VP of Product Strategy at Capsule8. In her spare time, she researches applications of behavioral economics to information security, on which she’s spoken at conferences internationally, including Black Hat, AusCERT, Hacktivity, Troopers, and ZeroNights.
Most recently, Kelly was the Product Manager for Analytics at SecurityScorecard. Previously, Kelly was the Product Manager for cross-platform detection capabilities at BAE Systems Applied Intelligence as well as co-founder and COO of IperLane, which was acquired. Prior to IperLane, Kelly was an investment banking analyst at Teneo Capital covering the data security and analytics sectors.