This can be exploited to execute arbitrary code with the privileges of the Exim process on the victim machine.

It is recommended to upgrade Exim as soon as possible. The latest version is 4.95.7 from 2013-08-18. Upgrading Exim is very simple: just download the latest release and extract it somewhere. Then run exim --update where you extract it. After that, you can upgrade Exim by running exim --update again. It is recommended to run exim --dump-config after upgrading Exim to make sure the configuration file is updated. If you are running Exim on a non-standard location, it might be a good idea to move it to a standard location. For example, if you are running Exim on /usr/local/bin, you can move it to /usr/bin as follows: mv /usr/local/bin/exim /usr/bin/ You might also want to change the ownership of the configuration file so that it does not get world-writable permissions.

Exploiting the Vulnerability

The vulnerability is found in the following functions of the Exim server:

* exim_run() (1) which runs a command using the pseudo-user that writes to a file.
* exim_checkconf() (2) which reads in a configuration file and runs commands from it.
* exim_main() (3) which starts up the main loop of processing messages.
* exim_sendmail() (4) which sends email through an SMTP server.
* exim_openpgpverify() (5) for verifying encrypted PGP signatures.
* exim_getuidinfo() (6) for determining what user id is currently logged in on the machine. The function exits immediately if there is no logged-in user, thus executing commands with this user id's privileges.

How to exploit vulnerability?

The vulnerability is easy to exploit for remote attackers. A remote attacker can send a specially crafted email containing a .tcl file to the victim that will cause the Exim process on the victim machine to execute arbitrary code with the privileges of the Exim process.

Timeline

Published on: 08/07/2022 18:15:00 UTC
Last modified on: 08/27/2022 19:15:00 UTC

References